PatchSiren cyber security CVE debrief
CVE-2025-40587 Siemens CVE debrief
CVE-2025-40587 is a stored cross-site scripting issue in Siemens Polarion affecting document titles. According to the advisory metadata, an authenticated remote attacker can place arbitrary JavaScript into a specially crafted document title, and that content may execute when other users later view it. Siemens and CISA list fixes for Polarion V2404 and V2410, and the issue is rated HIGH with a CVSS 3.1 score of 7.6.
- Vendor
- Siemens
- Product
- Polarion V2404
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-10
- Original CVE updated
- 2026-02-12
- Advisory published
- 2026-02-10
- Advisory updated
- 2026-02-12
Who should care
Organizations running Siemens Polarion V2404 or V2410 should prioritize this issue, especially teams with multiple users who can create, edit, or review documents. Security administrators, application owners, and any environment exposing Polarion to authenticated remote users should care most because the flaw requires login but can impact other users who view the crafted content.
Technical summary
The supplied CSAF metadata describes an authenticated stored XSS condition where arbitrary JavaScript can be embedded in document titles. The CVSS vector is AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N, indicating network reachability, low attack complexity, required low privileges, required user interaction, and potential impact beyond the vulnerable component. The advisory maps the issue to CWE-79 and lists remediations for Polarion V2404 and V2410.
Defensive priority
High. The flaw is externally reachable over the network, requires only low privileges, and can affect other users through stored content. Because the attack depends on later viewing, remediation should be scheduled promptly rather than deferred to routine maintenance.
Recommended defensive actions
- Upgrade Siemens Polarion V2404 to version 0.5 or later as listed in the advisory remediation text for the affected product identifier CSAFPID-0001.
- Upgrade Siemens Polarion V2410 to version 0.2 or later as listed in the advisory remediation text for the affected product identifier CSAFPID-0002.
- Review document title handling and any downstream rendering paths for output encoding and XSS protections.
- Limit who can create or edit documents where practical, since the attack requires authenticated access.
- Monitor for unexpected script-like content in document titles and related audit logs.
- Validate that browsers and security controls are enforcing modern anti-XSS protections, but do not rely on them as the primary fix.
Evidence notes
This debrief is based on the supplied CISA CSAF metadata for ICSA-26-043-02 and its Siemens ProductCERT references. The metadata explicitly states that arbitrary JavaScript can be included in document titles and that this can lead to stored cross-site scripting when other users view the titles. The source also lists affected products Polarion V2404 and Polarion V2410, remediation versions V2404.5 and V2410.2 or later, CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N, and CWE-79. The CVE publication date used here is 2026-02-10, with a source republication/update on 2026-02-12.
Official resources
-
CVE-2025-40587 CVE record
CVE.org
-
CVE-2025-40587 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-02-10 and republished it on 2026-02-12 as an initial republication of Siemens ProductCERT advisory SSA-035571. No KEV listing was supplied for this CVE in the provided corpus.