CVE-2025-40587
Published: 10 February 2026
Summary
CVE-2025-40587 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables exploitation of a public-facing web app (T1190) with arbitrary JavaScript execution (T1059.007) in victim browsers, facilitating session hijacking (T1185).
NVD Description
A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote attacker to conduct a…
more
stored cross-site scripting attack by creating specially crafted document titles that are later viewed by other users of the application.
Deeper analysisAI
CVE-2025-40587 is a stored cross-site scripting (XSS) vulnerability (CWE-79) affecting Siemens Polarion ALM software in versions V2404 prior to V2404.5 and V2410 prior to V2410.2. The flaw arises because the application permits arbitrary JavaScript code to be embedded in document titles, enabling malicious payloads to be stored and rendered when documents are accessed. It carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), reflecting high severity due to its network accessibility, low attack complexity, and potential for confidentiality impacts across a changed scope.
An authenticated remote attacker with low privileges (PR:L) can exploit this vulnerability by creating a document with a specially crafted title containing JavaScript code. When other users subsequently view the document, the injected script executes in their browsers, potentially leading to session hijacking, data theft, or further compromise within the application's context. The attack requires user interaction (UI:R) from victims but leverages the stored nature of the payload for broad reach among application users.
Mitigation involves upgrading to Polarion V2404.5 or later, or V2410.2 or later, as these versions address the issue. Additional details are available in the Siemens product CERT advisory at https://cert-portal.siemens.com/productcert/html/ssa-035571.html.
Details
- CWE(s)