CVE-2025-40587
Published: 10 February 2026
Summary
CVE-2025-40587 is a medium-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 6.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-40587 is a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting Siemens Polarion ALM software in versions V2404 prior to V2404.5 and V2410 prior to V2410.2. The flaw arises because the application permits arbitrary JavaScript code to be embedded in document titles, enabling malicious payloads to be stored and rendered when documents are accessed. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), reflecting high severity due to its network accessibility, low attack complexity, and potential for confidentiality impacts across a changed scope.
An authenticated remote attacker with low privileges (PR:L) can exploit this vulnerability by creating a document with a specially crafted title containing JavaScript code. When other users subsequently view the document, the injected script executes in their browsers, potentially leading to session hijacking, data theft, or further compromise within the application's context. The attack requires user interaction (UI:R) from victims but leverages the stored nature of the payload for broad reach among application users.
Mitigation involves upgrading to Polarion V2404.5 or later, or V2410.2 or later, as these versions address the issue. Additional details are available in the Siemens product CERT advisory at https://cert-portal.siemens.com/productcert/html/ssa-035571.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207262
Vulnerability details
A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote attacker to conduct a…
more
stored cross-site scripting attack by creating specially crafted document titles that are later viewed by other users of the application.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables exploitation of a public-facing web app (T1190) with arbitrary JavaScript execution (T1059.007) in victim browsers, facilitating session hijacking (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents stored XSS by validating and sanitizing user-supplied document titles to block arbitrary JavaScript injection.
Filters output of document titles during rendering to neutralize embedded JavaScript before execution in victims' browsers.
Ensures timely remediation of the specific XSS flaw through patching to vulnerable Polarion versions.