Siemens gWAP

HIGH

CVSS 8.0

Date 2026-05-14T06:00:00+00:00

Source cisa-csaf

Published by CISA

// Description

Siemens gPROMS Web Applications Publisher (gWAP) is affected by a remote code execution vulnerability introduced through a third-party component, namely the Axios HTTP client library. The vulnerability stems from a specific "Gadget" attack chain that allows prototype pollution in other third-party libraries, potentially allowing an attacker to execute arbitrary code. Siemens has released a new version for gWAP and recommends to update to the latest version.

// Vulnerabilities (1)

CVE ID	CVSS Score	Severity	Description
CVE-2026-40175	8.0	high	CVE-2026-40175. Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific "Gadget" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.. An attacker would need privileged access to the application in order to exploit.

// Remediations (1)

Patch: Update to V3.1.1 or later version

Update to V3.1.1 or later version

Siemens gWAP

// Description

// Vulnerabilities (1)

// Remediations (1)

// References