Siemens has confirmed a stored cross‑site scripting (XSS) vulnerability in Polarion that affects multiple maintenance branches and must be patched: Polarion V2404 releases prior to V2404.5 and Polarion V2410 releases prior to V2410.2 are vulnerable to CVE‑2025‑40587, and Siemens’ ProductCERT published advisory SSA‑035571 (February 10, 2026) with fixed release thresholds and remediation guidance. ([cert-portal.siemenortal.siemens.com/productcert/html/ssa-035571.html) Background / Overview​ Polarion is Siemens’ application lifecycle management platform used by engineering teams across industries, including critical infrastructure sectors such as energy and manufacturing. On February 10, 2026, Siemens ProductCERT published SSA‑035571 describing a vulnerability (tracked as CVE‑2025‑40587 ) that allows an authenticated user to inject arbitrary JavaScript into document titles , which can later execute in the browsers of other users who view those documents. Siemens recommends upgrading affected product lines to the fixed versions or later to mitigate the issue. Independent vulnerability trackers and vulnerability intelligence firms quickly mirrored Siemens’ advisory (OpenCVE, Tenable, CVE aggregators), confirming the affected versions, the stored XSS root cause (CWE‑79), and the CVSS ratings that Siemens published. These sources uniformly recommend updating to the vendor‑supplied fixes. What the advisory actually says (concise technical summary)​ Vulnerability: Stored cross‑site scripting (XSS) (CWE‑79) that permits attacker‑controlled JavaScript to be embedded in document titles. Affected versions: Polarion V2404 — all versions earlier than V2404.5 . Polarion V2410 — all versions earlier than V2410.2 . CVE identifier: CVE‑2025‑40587 . Severity: CVSSv3.1 base score 7.6 (High) ; CVSSv4 base score 6.2 (Medium) (vendor scores reported in the advisory). Exploit prerequisites: an attacker must be authenticated (low privilege is sufficient) to create the malicious document title; subsequent victims only need to view the document to trigger script execution. These are core facts system owners and SOC teams must internalize immediately. Why this matters: risk and real‑world impact​ Stored XSS in a collaboration or ALM tool is a potent vector for targeted compromise inside organizations. Session capture and impersonation : JavaScript executed in another user’s browser can exfiltrate session tokens, cookies, or other credentials stored in the browser context and send them to an attacker‑controlled receiver, enabling account takeover. Privilege escalation via workflow abuse : Polarion is used by engineering and product teams that frequently hold elevated project privileges or access to build artifacts, test plans, and integrations with CI/CD pipelines; hijacked sessions may be used to manipulate artifacts or trigger unsafe workflows. Supply‑chain and build compromise : If an attacker can use stolen credentials or an elevated session to modify tracked requirements, artifacts, or integration endpoints, they can create a stealthy path into build systems or release pipelines. Operational disruption : In industrial and critical‑infrastructure contexts, engineering ALM tools tie into operational workflows and approvals. A successful browser‑based compromise could materially disrupt engineering operations or allow the injection of misleading artifacts into release processes. Because the vulnerability is stored (persistent) and triggers simply by viewing a crafted document title, it lends itself to low‑noise social engineering (e.g., sending a link to a familiar document with an enticing title) and can be weaponized inside trusted corporate email/chat channels. Multiple vulnerability trackers and Siemens’ own advisory stress the network‑accessible nature of the issue when Polarion’s web interface is reachable by attackers, and the low attack complexity when an authenticated account is available. Affected products and safe upgrade thresholds​ Siemens’ published remediation thresholds are explicit and must be followed exactly when triaging assets: Polarion V2404: update to V2404.5 or later. Polarion V2410: update to V2410.2 or later. Operators running Polarion maintenance branches earlier than those fixed releases should plan immediate upgrades. Where direct upgrading is not immediately feasible (long maintenance windows, regulatory controls), strong compensating controls must be put in place while scheduling the patch. Independent vulnerability aggregators corroborate Siemens’ version details and CVE metadata; cross‑checking these external listings is a best practice when triaging enterprise assets. Technical analysis: how the vulnerability works​ 1. Root cause​ Polarion failed to properly sanitize or encode user input used in the rendering context of document titles . The web UI renders titles without neutralizing special HTML/JavaScript elements, enabling attackers with write access to store script payloads that will execute in ot