- What: A stored cross-site scripting (XSS) vulnerability exists in Polarion versions V2404 and V2410 due to improper handling of JavaScript code in document titles.
- Impact: An authenticated remote attacker could inject arbitrary JavaScript code into document titles, potentially affecting other users who view the crafted titles.
- Affected: Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2).
- CVSS: v3 Base Score: 7.6
CVE-2025-40587 medium Description A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by creating specially crafted document titles that are later viewed by other users of the application. References https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-02 https://cert-portal.siemens.com/productcert/html/ssa-035571.html Details Source: Mitre , NVD Published : 2026-02-10 Updated : 2026-02-10 Risk Information CVSS v2 Base Score : 7.5 Vector : CVSS2#AV:N/AC:L/Au:S/C:C/I:P/A:N Severity : High CVSS v3 Base Score : 7.6 Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N Severity : High CVSS v4 Base Score : 6.2 Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N Severity : Medium EPSS EPSS : 0.00044