Cyber Resilience

CVE-2025-40587

Medium

Published: 10 February 2026

Published
10 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 6.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 6.2th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40587 is a medium-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-40587 is a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting Siemens Polarion ALM software in versions V2404 prior to V2404.5 and V2410 prior to V2410.2. The flaw arises because the application permits arbitrary JavaScript code to be embedded in document titles, enabling malicious payloads to be stored and rendered when documents are accessed. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), reflecting high severity due to its network accessibility, low attack complexity, and potential for confidentiality impacts across a changed scope.

An authenticated remote attacker with low privileges (PR:L) can exploit this vulnerability by creating a document with a specially crafted title containing JavaScript code. When other users subsequently view the document, the injected script executes in their browsers, potentially leading to session hijacking, data theft, or further compromise within the application's context. The attack requires user interaction (UI:R) from victims but leverages the stored nature of the payload for broad reach among application users.

Mitigation involves upgrading to Polarion V2404.5 or later, or V2410.2 or later, as these versions address the issue. Additional details are available in the Siemens product CERT advisory at https://cert-portal.siemens.com/productcert/html/ssa-035571.html.

EU & UK References

Vulnerability details

A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote attacker to conduct a…

more

stored cross-site scripting attack by creating specially crafted document titles that are later viewed by other users of the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS directly enables exploitation of a public-facing web app (T1190) with arbitrary JavaScript execution (T1059.007) in victim browsers, facilitating session hijacking (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23722Shared CWE-79
CVE-2025-68874Shared CWE-79
CVE-2025-53231Shared CWE-79
CVE-2026-22524Shared CWE-79
CVE-2025-0521Shared CWE-79
CVE-2025-15440Shared CWE-79
CVE-2025-22766Shared CWE-79
CVE-2026-22867Shared CWE-79
CVE-2022-50905Shared CWE-79
CVE-2026-42685Shared CWE-79

Affected Assets

All
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents stored XSS by validating and sanitizing user-supplied document titles to block arbitrary JavaScript injection.

prevent

Filters output of document titles during rendering to neutralize embedded JavaScript before execution in victims' browsers.

prevent

Ensures timely remediation of the specific XSS flaw through patching to vulnerable Polarion versions.

References