CISA 2026-05-14

Siemens gWAP

CVE-2026-40175

Machine-generated analysis · WAYSCloud LLM

The vulnerability originates in a third-party Axios library dependency and exploits prototype pollution to escalate into remote code execution. Siemens has released version 3.1.1 to address this issue.

Context

Siemens gPROMS Web Applications Publisher (gWAP) is a web application publishing tool. The advisory states that a specific 'Gadget' attack chain via the Axios HTTP client library can lead to prototype pollution in other dependencies, potentially allowing remote code execution. The vulnerability is noted to affect critical manufacturing sectors and has a CVSSv3.1 base score of 8.0.

Operator considerations

- Check: verify gWAP version against affected range
- Patch: update to gWAP version 3.1.1 or later
- Isolate: restrict network access to gWAP as recommended

From Cybersecurity and Infrastructure Security Agency ↗

Siemens gPROMS Web Applications Publisher (gWAP) is affected by a remote code execution vulnerability introduced through a third-party component, namely the Axios HTTP client library. The vulnerability stems from a specific "Gadget" attack chain that allows prototype pollution in other third-party libraries, potentially allowing an attacker to execute arbitrary code. Siemens has released a new version for gWAP and recommends to update to the latest version.

The following versions of Siemens gWAP are affected:

gWAP vers:intdot/

Read the full advisory on CISA →