Description
Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result, the issue has a low impact on confidentiality, while integrity and availability are not impacted.
Published: 2026-05-14
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper handling of user input that is incorporated into a web page. Under specific conditions an attacker can inject custom Cascading Style Sheet code; when a victim opens or clicks the affected page the injected CSS is executed by the browser. This type of injection does not expose data nor change system state, leading to a minimal confidentiality impact while leaving integrity and availability untouched. The weakness is classified as CWE‑276.

Affected Systems

SAP NetWeaver Application Server ABAP, as identified by SAP SE. The CVE does not list specific product versions, so all deployed instances of this application server should be checked against SAP Note 3665042 for applicability.

Risk and Exploitability

The CVSS score of 3.1 reflects the low severity. No EPSS score is available, and the flaw is not listed in CISA’s KEV catalog. The exploitation requires that a user navigate to or interact with the affected page, so user interaction is a prerequisite. Given the low intrinsic severity and the need for manual interaction, the overall risk is considered low to moderate and the likelihood of widespread exploitation is low.

Generated by OpenCVE AI on May 14, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SAP security update referenced in SAP Note 3665042 to patch the CSS injection flaw.
  • Implement input validation that rejects or escapes CSS‑specific characters in any data that may be rendered as style information.
  • Configure a web application firewall or apply a strict Content Security Policy to block the injection of arbitrary CSS styles in web responses.

Generated by OpenCVE AI on May 14, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result, the issue has a low impact on confidentiality, while integrity and availability are not impacted.
Title CSS Injection vulnerability in SAP NetWeaver Application Server ABAP
Weaknesses CWE-276
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-14T19:17:51.192Z

Reserved: 2026-02-23T17:50:10.513Z

Link: CVE-2026-27680

cve-icon Vulnrichment

Updated: 2026-05-14T19:17:47.992Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T19:16:31.450

Modified: 2026-05-15T14:11:57.190

Link: CVE-2026-27680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:30:04Z

Weaknesses