Description
SAP NetWeaver Application Server Java allows an unauthenticated attacker to inject malicious JavaScript through crafted URLs. When a victim accesses such a URL, the script executes in the user's browser, allowing the attacker to access sensitive session information and modify non-sensitive data displayed in the client�s browser. This results in a high impact on confidentiality, low impact on integrity with no impact on availability of the application.
Published: 2026-07-14
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected Cross‑Site Scripting in the Configuration Wizard of SAP NetWeaver Application Server Java. An attacker who can construct a specially‑crafted URL can cause arbitrary JavaScript to run in a victim’s browser. If the victim is authenticated to the application, the script can read cookie‑based session tokens and other sensitive client‑side data, enabling session hijacking or other data‑exfiltration. The flaw is a classic input‑validation weakness identified by CWE‑79 and results in a high impact on confidentiality with no impact on availability.

Affected Systems

The affected product is SAP NetWeaver Application Server Java, specifically its Configuration Wizard component. The vulnerability exists in all unpatched installations that still expose the wizard via HTTP(S).

Risk and Exploitability

The CVSS score of 8.2 indicates a high‑severity risk. Because the flaw can be triggered by an unauthenticated user through a crafted URL, an attacker may exploit it from any network location that can reach the wizard endpoint. EPSS data is not available, but the lack of listing in CISA KEV means there is no known active exploitation at this time. Still, the vulnerability’s high score and the ease of tricking a user into visiting the malicious link point to a significant risk that warrants prompt remediation.

Generated by OpenCVE AI on July 14, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply SAP security patch covered by SAP Note 3748227 to update NetWeaver Application Server Java
  • Restrict external access to the Configuration Wizard by blocking the service on non‑trusted networks or applying firewall rules that limit connections to trusted administrative IPs
  • Implement URL input sanitization or a Web Application Firewall rule that blocks malicious JavaScript payloads in query parameters until a patch is available

Generated by OpenCVE AI on July 14, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
Description SAP NetWeaver Application Server Java allows an unauthenticated attacker to inject malicious JavaScript through crafted URLs. When a victim accesses such a URL, the script executes in the user's browser, allowing the attacker to access sensitive session information and modify non-sensitive data displayed in the client�s browser. This results in a high impact on confidentiality, low impact on integrity with no impact on availability of the application.
Title Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-07-14T12:38:59.318Z

Reserved: 2026-05-07T18:16:34.195Z

Link: CVE-2026-44752

cve-icon Vulnrichment

Updated: 2026-07-14T12:38:55.872Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T13:00:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')