Description
SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.
Published: 2026-04-14
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via XSS
Action: Patch
AI Analysis

Impact

A reflected cross‑site scripting flaw allows an authenticated user to embed malicious JavaScript within crafted URLs on the SAP BusinessObjects Business Intelligence Platform. When another user opens such a URL, the script runs in the victim's browser, potentially allowing the attacker to read or exfiltrate restricted information. Although the vulnerability carries a low CVSS score, it still permits the disclosure of confidential data without affecting integrity or availability.

Affected Systems

Vulnerable products include the SAP BusinessObjects Business Intelligence Platform. No specific affected software versions are supplied in the advisory, so all deployments of the platform that have not applied the latest SAP security patch may be at risk.

Risk and Exploitability

The CVSS base score of 4.1 indicates low severity, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting a limited threat landscape. The likely attack path requires an authenticated attacker to craft a malicious URL and a separate victim user to click it; therefore the exploitability is constrained to social engineering or phishing scenarios. With the EPSS score unavailable, it is prudent to treat the risk as moderate until a real‑world exploit is documented.

Generated by OpenCVE AI on April 14, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SAP security patch for BusinessObjects Business Intelligence Platform as provided in the SAP Note 3698216
  • If a patch is unavailable, limit URL input fields, perform strict escaping of query parameters, and configure the web server to block inline script execution
  • Educate users to avoid clicking suspicious links and verify URL sources before accessing SAP BusinessObjects portals

Generated by OpenCVE AI on April 14, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Business Objects Business Intelligence Platform
Vendors & Products Sap Se
Sap Se sap Business Objects Business Intelligence Platform

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.
Title Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Sap Se Sap Business Objects Business Intelligence Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-04-14T13:14:17.886Z

Reserved: 2026-02-23T17:50:17.028Z

Link: CVE-2026-27683

cve-icon Vulnrichment

Updated: 2026-04-14T13:09:06.302Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T00:16:06.717

Modified: 2026-04-17T15:18:16.507

Link: CVE-2026-27683

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:31:21Z

Weaknesses