Description
Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.
Published: 2026-01-13
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side XSS redirect
Action: Apply Patch
AI Analysis

Impact

This vulnerability allows an unauthenticated attacker to construct a malicious link that, when clicked by a user of the SAP Business Connector webclient, redirects the browser to a site controlled by the attacker. The cross‑site scripting defect can also enable the attacker to read or modify data stored in the webclient, thereby compromising confidentiality and integrity. No impact on availability is anticipated.

Affected Systems

The affected product is SAP Business Connector from SAP, specifically version 4.8 as identified by the CPE. The flaw applies to any deployment that serves the webclient interface to users.

Risk and Exploitability

The CVSS base score of 6.1 indicates medium severity. The EPSS score is less than 1 %, suggesting that the likelihood of exploitation in the wild is low. The flaw is not listed in the CISA KEV catalog. Exploitation does not require authentication; the attacker simply needs a victim to click the crafted link. Because the flaw is client‑side, the critical condition for exploitation is user interaction with the malicious URL.

Generated by OpenCVE AI on April 18, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch referenced in SAP Note 3666061 to correct the XSS flaw.
  • Verify that the SAP Business Connector webclient is configured to sanitize all user‑supplied input before rendering.
  • If patching cannot be performed immediately, restrict access to the webclient or implement CSP headers that block navigation to untrusted domains to reduce the risk of redirected exploitation.

Generated by OpenCVE AI on April 18, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sap:business_connector:4.8:*:*:*:*:*:*:*

Tue, 13 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap business Connector
Vendors & Products Sap
Sap business Connector

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability.
Title Cross-Site Scripting (XSS) vulnerability in SAP Business Connector
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sap Business Connector
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-01-13T14:38:19.675Z

Reserved: 2025-12-09T22:06:52.467Z

Link: CVE-2026-0514

cve-icon Vulnrichment

Updated: 2026-01-13T14:38:16.619Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T02:15:54.113

Modified: 2026-01-16T16:53:03.113

Link: CVE-2026-0514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses