Description
SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
Published: 2026-02-10
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirection
Action: Apply Patch
AI Analysis

Impact

A specific component of SAP Business Server Pages, TAF_APPLAUNCHER, can accept specially crafted URLs from unauthenticated users. When a victim clicks such a link, the application redirects the browser to an attacker‑controlled site. This behavior can lead to the disclosure or alteration of sensitive data within the victim’s browser session, though it does not affect the availability of the application itself. The flaw is a classic input‑validation weakness represented by CWE‑601.

Affected Systems

The vulnerability is present in versions of SAP Business Server Pages identified by the following CPEs: SAP Business Server Pages 2008_1_700, 2008_1_710, 740, and 758. These versions correspond to the Business Server Pages Application (TAF_APPLAUNCHER) from SAP SE.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity level. The EPSS score is below 1 %, suggesting a low probability of exploitation at this moment. The vulnerability is not listed in CISA’s known exploited vulnerabilities catalog. The attack vector is relatively straightforward: an attacker does not need authentication or privileged access; they only need to trick a user into clicking a malicious link, which can be delivered via email or embedded in web content. If exploited, the impact is limited to confidentiality and integrity within the victim’s browser context and does not impair application availability.

Generated by OpenCVE AI on April 17, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the SAP security patch referenced in SAP Note 3688319 and the SAP Security Patch Day documentation
  • Configure web application firewalls or URL filtering to block or validate redirects originating from TAF_APPLAUNCHER
  • Ensure that all publicly exposed links are checked for proper input validation to mitigate CWE‑601 type weaknesses

Generated by OpenCVE AI on April 17, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap business Server Pages
CPEs cpe:2.3:a:sap:business_server_pages:2008_1_700:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_server_pages:2008_1_710:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_server_pages:740:*:*:*:*:*:*:*
cpe:2.3:a:sap:business_server_pages:758:*:*:*:*:*:*:*
Vendors & Products Sap
Sap business Server Pages

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se business Server Pages Application (taf Applauncher)
Vendors & Products Sap Se
Sap Se business Server Pages Application (taf Applauncher)

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
Title Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sap Business Server Pages
Sap Se Business Server Pages Application (taf Applauncher)
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-10T15:41:55.313Z

Reserved: 2026-01-21T22:15:36.673Z

Link: CVE-2026-24328

cve-icon Vulnrichment

Updated: 2026-02-10T15:41:50.331Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:05.273

Modified: 2026-02-17T15:10:34.963

Link: CVE-2026-24328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses