Description
SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
Published: 2026-05-12
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in SAP TAF_APPLAUNCHER within Business Server Pages, allowing an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect the victim’s browser to attacker‑controlled sites. This can expose or alter sensitive information in the browser, though the impact on confidentiality and integrity is considered low and there is no impact on availability.

Affected Systems

The affected product is the SAP Business Server Pages Application (TAF_APPLAUNCHER). No specific version information is provided; all instances of this component are potentially vulnerable until patched.

Risk and Exploitability

With a CVSS score of 6.1, the vulnerability is in the medium severity range. The EPSS score is not available and the flaw is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The primary attack vector is remote: an attacker sends a crafted link to a victim and relies on social engineering or passive interception of click actions. Because no authentication is required, the risk remains for any user who may view the affected application. The low impact classification means a successful exploit would mainly redirect or partially manipulate the victim’s browser context rather than fully compromise the system.

Generated by OpenCVE AI on May 12, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch referenced in SAP Note 3727717 to update Business Server Pages Application (TAF_APPLAUNCHER).
  • Deploy the latest available version of the application to eliminate the vulnerability.
  • Implement input sanitization or parameter validation for URL handling in the application, and consider deploying a web‑application firewall or stricter content‑security policy to block unintended redirects.

Generated by OpenCVE AI on May 12, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se business Server Pages Application (taf Applauncher)
Vendors & Products Sap Se
Sap Se business Server Pages Application (taf Applauncher)

Tue, 12 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
Title Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sap Se Business Server Pages Application (taf Applauncher)
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-05-12T12:59:48.203Z

Reserved: 2026-04-09T17:29:44.663Z

Link: CVE-2026-40137

cve-icon Vulnrichment

Updated: 2026-05-12T12:59:45.143Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T03:16:12.693

Modified: 2026-05-12T14:19:41.400

Link: CVE-2026-40137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T04:30:07Z

Weaknesses