CVE-2026-33862 Cert Portal CVE debrief

Who should care

Organizations running affected Siemens Teamcenter deployments, especially PLM administrators, application owners, and security teams responsible for browser-facing workflows and user-supplied content handling.

Technical summary

The flaw is consistent with reflected or stored XSS (CWE-79): user-controlled input is not properly encoded or filtered before being rendered to other users. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, indicating network reachability, low attack complexity, limited privileges required, and user interaction required, with high confidentiality and integrity impact.

Defensive priority

High

Recommended defensive actions

• Update affected Siemens Teamcenter installations to the fixed releases listed by the vendor: V2312.0014 or later, V2406.0012 or later, V2412.0009 or later, and V2506.0005 or later.
• Inventory Teamcenter instances and confirm which releases are in use before planning remediation.
• Review pages and workflows that render user-supplied input, especially where content is visible to other users.
• Validate that the patched version is deployed successfully and that the vendor guidance for the advisory has been applied.
• Monitor for anomalous script injection attempts or unexpected browser-side behavior in Teamcenter-related pages.
• Prioritize remediation for deployments exposed to many users or to broader internal network access.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-134-04, which CISA notes is a republication of Siemens ProductCERT advisory SSA-827383. The supplied advisory text explicitly describes improper encoding/filtering of user-supplied data leading to malicious code execution in other users’ browsers. No KEV entry is present in the provided data.

Official resources