Description
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected.
Published: 2026-04-14
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a browser-based cross‑site scripting flaw that allows an unauthenticated attacker to craft a malicious URL. When a victim follows that link, the attacker's code is executed inside the victim’s browser, enabling the attacker to access or modify sensitive application data, thereby compromising confidentiality and integrity while leaving availability intact.

Affected Systems

SAP Supplier Relationship Management, specifically the SICF Handler in the SRM Catalog. No vendor‑specific version information is provided in the CVE data, so all installations that include this handler are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate risk. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation appears to require an attacker to supply a malicious link to a user, suggesting a social‑engineering or remote‑access attack vector that can be mitigated with timely patching and user awareness.

Generated by OpenCVE AI on April 14, 2026 at 01:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify which SAP Supplier Relationship Management installations include the SICF Handler and assess if the version is vulnerable.
  • Apply the security update or patch provided in SAP Note 3645228 as soon as it is available.
  • If immediate patching is not possible, block or filter malicious URLs and restrict scripting in browsers to reduce the impact.
  • Continuously monitor application logs for suspicious XSS activity and conduct periodic security reviews.

Generated by OpenCVE AI on April 14, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap supplier Relationship Management
Vendors & Products Sap
Sap supplier Relationship Management

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected.
Title Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sap Supplier Relationship Management
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:19.450Z

Reserved: 2025-12-09T22:06:50.861Z

Link: CVE-2026-0512

cve-icon Vulnrichment

Updated: 2026-04-14T13:09:28.819Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T00:16:03.700

Modified: 2026-04-17T15:18:16.507

Link: CVE-2026-0512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:33Z

Weaknesses