Siemens Polarion

Plan PatchCVSS 7.6ICS-CERT ICSA-26-043-02Feb 10, 2026

Siemens

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Polarion before V2506 contains a cross-site scripting (XSS) vulnerability that allows authenticated remote attackers to inject malicious scripts into the web interface. The vulnerability affects users interacting with Polarion through a web browser.

What this means

What could happen

An authenticated attacker could inject malicious scripts that execute in the browsers of other Polarion users, potentially stealing session credentials or performing actions on their behalf within the Polarion system.

Who's at risk

Siemens Polarion users, particularly those managing requirements, test cases, or documents through the web interface. This affects any organization using Polarion V2404 (before 2404.5) or V2410 (before 2410.2) for product lifecycle management, software engineering collaboration, or quality assurance workflows.

How it could be exploited

An attacker with valid Polarion credentials inputs malicious JavaScript code into a vulnerable input field. When other users view the affected page or content, the script executes in their browser in the context of their Polarion session, allowing the attacker to harvest credentials or trigger unintended actions.

Prerequisites

Valid Polarion user credentials
Network access to Polarion web interface
A victim user must view the page or content containing the injected script

Requires valid authenticationLow exploit complexityAffects stored data integrity within PolarionCould compromise user sessions and workflows

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Polarion V2404< 2404.52404.5

Polarion V2410< 2410.22410.2

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGEducate users not to click on suspicious links within Polarion messages or reports

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Polarion V2404

HOTFIXUpdate Polarion V2404 installations to version 2404.5 or later

Polarion V2410

HOTFIXUpdate Polarion V2410 installations to version 2410.2 or later

CVEs (1)

CVE-2025-40587

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/962e72bd-8ad5-4bdb-a838-3e96e2a5eb5a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.