CVE-2026-44746 - Vulnerability Details

- Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (JDBC Test Servlet)

Description

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver JAVA (JDBC Test Servlet), an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser. This could allow the attacker to access and/or modify information related to the webclient, impacting the confidentiality and integrity of the application, with no impact to availability.

Published: 2026-06-09

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a reflected XSS in the JDBC Test Servlet of SAP NetWeaver AS Java Component UDI. An unauthenticated attacker can embed a malicious script in a crafted URL. When a victim clicks the link, the script is rendered in the browser, allowing the attacker to access or modify data stored in the web client. This compromises confidentiality and integrity of the application with no impact on availability.

Affected Systems

SAP NetWeaver AS Java Component UDI, delivered by SAP. The advisory does not specify a particular version, so all installations that include the JDBC Test Servlet are potentially affected.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires only a crafted URL and no authentication, the risk of exploitation is moderate to high in environments where users may click unknown links. No additional prerequisites are described, so the potential attack surface is limited to the web client itself.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SAP_SE

SAP NetWeaver AS Java (JDBC Test Servlet)

unaffected

Version	Status	Constraints
`BI_UDI 7.50`	affected	—

No data.

Vendor Product Confidence Versions

Sap Se

Sap Netweaver As Java Component Udi

100%

Version	Status	Scheme	Platform
`BI_UDI 7.50`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the SAP security patch referenced in SAP Note 3723655 to update the NetWeaver AS Java Component UDI.
Disable or restrict access to the JDBC Test Servlet if the patch cannot be deployed immediately.
Educate users to avoid clicking unsolicited URLs and enforce safe browsing policies.
Monitor web traffic for abnormal request patterns that could indicate exploitation attempts.

Generated by OpenCVE AI on June 9, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00093.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://me.sap.com/notes/3723655
https://url.sap/sapsecuritypatchday

History

Tue, 09 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 09 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sap Netweaver As Java Component Udi
Vendors & Products		Sap Se Sap Se sap Netweaver As Java Component Udi

Tue, 09 Jun 2026 06:15:00 +0000

Type	Values Removed	Values Added
Title	Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java Component UDI	Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (JDBC Test Servlet)

Tue, 09 Jun 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver JAVA (JDBC Test Servlet), an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser. This could allow the attacker to access and/or modify information related to the webclient, impacting the confidentiality and integrity of the application, with no impact to availability.
Title		Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java Component UDI
Weaknesses		CWE-79
References		https://me.sap.com/notes/3723655 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Sap Se Sap Netweaver As Java Component Udi

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-06-09T00:20:48.012Z

Updated: 2026-06-09T13:22:02.523Z

Reserved: 2026-05-07T18:16:34.195Z

Link: CVE-2026-44746

Vulnrichment

Updated: 2026-06-09T13:21:53.658Z

NVD

Status : Awaiting Analysis

Published: 2026-06-09T01:16:46.467

Modified: 2026-06-09T02:08:28.150

Link: CVE-2026-44746

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-09T08:56:25Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object