OTPulse
FeedAboutContact

Siemens Polarion

Plan Patch7.6ICS-CERT ICSA-26-043-02Feb 10, 2026
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

Polarion before V2506 contains a cross-site scripting (XSS) vulnerability that allows authenticated remote attackers to inject malicious scripts. The vulnerability affects Polarion V2404 (before 2404.5) and V2410 (before 2410.2). Siemens has released patches for both versions.

What this means
What could happen
An authenticated attacker could inject malicious scripts into Polarion that execute in the browsers of other users viewing the affected content, potentially stealing credentials or session data. This could compromise engineering work and project documentation integrity.
Who's at risk
Siemens Polarion users and organizations managing industrial automation, electrical grid, or water system projects. Affects engineering teams using V2404 (before 2404.5) and V2410 (before 2410.2) for project collaboration, requirements management, and design documentation.
How it could be exploited
An attacker with valid Polarion credentials could inject JavaScript code into project data, work items, or comments. When other users access the affected content, the malicious script executes in their browser, allowing the attacker to capture sensitive information or perform actions on their behalf.
Prerequisites
  • Valid Polarion user credentials
  • Access to create or edit work items, comments, or other content in Polarion
  • Target user must view the page containing the injected script
Requires valid credentialsUser interaction requiredAffects IT confidentiality of project data
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Polarion V2404< 2404.52404.5
Polarion V2410< 2410.22410.2
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Polarion V2404
HOTFIXUpdate Polarion V2404 to version 2404.5 or later
Polarion V2410
HOTFIXUpdate Polarion V2410 to version 2410.2 or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/962e72bd-8ad5-4bdb-a838-3e96e2a5eb5a
Siemens Polarion | CVSS 7.6 - OTPulse