Description
Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.
Published: 2026-05-12
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated attackers can create a malicious URL that injects a script into an unprotected query string. When a user follows that link, the script is rendered by the web application and runs in the victim’s browser context, allowing the attacker to read or alter data owned by the user. This results in a compromise of confidentiality and integrity of application data, while availability remains unaffected.

Affected Systems

This vulnerability affects SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) from SAP. Specific affected release numbers are not listed; the issue applies to all installations that use the unprotected URL parameter handling within Business Server Pages.

Risk and Exploitability

The CVSS score is 4.7, indicating moderate severity. With no EPSS score available and no listing in the CISA KEV catalog, current exploitation risk appears limited but the vulnerability does rely on user interaction; thus it is primarily a social‑engineering vector. If exploited, the attacker could gain the victim’s privileges in the application. The lack of a publicly documented exploit does not preclude future use of generic XSS payloads.

Generated by OpenCVE AI on May 12, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply SAP Note 3728690 to patch SAP NetWeaver Application Server ABAP.
  • Add input validation and output encoding to all URL parameters so that untrusted data is always escaped before being included in a web page.
  • Configure a web application firewall or equivalent layer to detect and block reflected XSS payloads.

Generated by OpenCVE AI on May 12, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Netweaver Application Server Abap (applications Based On Business Server Pages)
Vendors & Products Sap Se
Sap Se sap Netweaver Application Server Abap (applications Based On Business Server Pages)

Tue, 12 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.
Title Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sap Se Sap Netweaver Application Server Abap (applications Based On Business Server Pages)
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-12T02:19:26.976Z

Reserved: 2026-02-23T17:50:17.027Z

Link: CVE-2026-27682

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T03:16:11.103

Modified: 2026-05-12T03:16:11.103

Link: CVE-2026-27682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:10Z

Weaknesses