Description
SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.
Published: 2026-05-12
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can manipulate URL parameters in SAPUI5 Search UI to embed malicious content. When a victim user interacts with the modified UI, they are steered to attacker‑controlled pages that the application renders. The vulnerability does not alter data or disrupt application availability; its primary effect is to lower confidentiality by exposing users to phishing or deceptive content.

Affected Systems

The affected product is SAPUI5 Search UI, a component of SAP SE’s SAPUI5 framework. No specific version information is available in the current data, so all deployments of the Search UI that have not applied SAP’s recommended update may be vulnerable.

Risk and Exploitability

With a CVSS score of 4.7 the flaw is considered low‑severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, indicating limited publicly known exploitation. It can be triggered via simple URL manipulation without authentication, meaning an attacker who can redirect a user’s browser to a crafted link can exploit it. Because the flaw only affects the rendered content and does not alter sensitive data, the overall risk remains moderate, but organizations that rely on SAPUI5 Search UI for user interactions should address it promptly.

Generated by OpenCVE AI on May 12, 2026 at 04:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply SAP Security Note 3726583 to update SAPUI5 Search UI and enforce sanitization of URL parameters
  • Configure web application firewall rules to block or neutralize unexpected URL query values in Search UI endpoints
  • Implement a content security policy that limits which external domains can be loaded in the application to mitigate the impact of injected content

Generated by OpenCVE AI on May 12, 2026 at 04:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sapui5 (search Ui)
Vendors & Products Sap Se
Sap Se sapui5 (search Ui)

Tue, 12 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.
Title Content Spoofing vulnerability in SAPUI5 (Search UI)
Weaknesses CWE-451
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Sap Se Sapui5 (search Ui)
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-12T02:19:41.585Z

Reserved: 2026-03-26T19:02:45.982Z

Link: CVE-2026-34258

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T03:16:11.247

Modified: 2026-05-12T03:16:11.247

Link: CVE-2026-34258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:08Z

Weaknesses