Cross Site Scripting Vulnerability in Polarion Before V2506

Plan Patch7.6SSA-035571Feb 10, 2026

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Polarion before V2506 contains a cross-site scripting (XSS) vulnerability that allows authenticated remote attackers to inject malicious scripts. When other users access content containing the injected script, it executes in their browser session. The vulnerability is present in V2404 (prior to 2404.5) and V2410 (prior to 2410.2).

What this means

What could happen

An authenticated user with access to Polarion could inject malicious scripts that execute in other users' browsers when they view affected pages, potentially allowing credential theft or unauthorized actions on their behalf.

Who's at risk

Organizations using Siemens Polarion application development and collaboration platform. Any team member with Polarion access could be affected if they view content created by an attacker.

How it could be exploited

An attacker with valid Polarion credentials creates a malicious input (e.g., in a project description, comment, or custom field) containing JavaScript. When other users view that content in their browsers, the script executes in their session context, allowing the attacker to steal session cookies or perform actions as those users.

Prerequisites

Valid Polarion user account credentials
Ability to create or edit content that other users will view (project item, comment, or field)

remotely exploitableauthentication requiredaffects multi-user systemssession hijacking risk

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Polarion V2404< 2404.52404.5

Polarion V2410< 2410.22410.2

Remediation & Mitigation

0/2

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Polarion V2404

HOTFIXUpdate Polarion V2404 to version 2404.5 or later

Polarion V2410

HOTFIXUpdate Polarion V2410 to version 2410.2 or later

CVEs (1)

CVE-2025-40587

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f2c95168-9a47-415c-af75-c4592dc7d06c