Description
SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the user�s browser within the context of the application. This issue has a low impact on the confidentiality and integrity of the application with no impact on availability.
Published: 2026-06-09
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SAP Wily Introscope Enterprise Manager is vulnerable to cross‑site scripting when an unauthenticated user visits a specially crafted URL. The attacker can inject script that runs in the victim’s browser while the application’s context is preserved. The vulnerability carries a low impact on confidentiality and integrity because the script runs only in the browser, with no direct effect on server‑side data or availability.

Affected Systems

All deployments of SAP Wily Introscope Enterprise Manager are affected; the CVE documentation does not specify particular product versions, so any installed instance is potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.7 indicates a low‑severity client‑side flaw. EPSS information is not available, and the vulnerability is not listed in CISA KEV. An unauthenticated attacker can exploit the issue by sending a malicious link to a user; exploitation requires the user to access the crafted URL, making social engineering a likely vector.

Generated by OpenCVE AI on June 9, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available SAP security update for Introscope Enterprise Manager, such as the patch referenced in SAP Note 3715280 or the latest SAP Security Patch Day releases.
  • Limit user access to the application or decommission it if it is no longer required.
  • Implement web‑application‑firewall rules or Content‑Security‑Policy headers to block or escape injected script content.

Generated by OpenCVE AI on June 9, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap introscope Enterprise Manager
Vendors & Products Sap
Sap introscope Enterprise Manager

Tue, 09 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Description SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the user�s browser within the context of the application. This issue has a low impact on the confidentiality and integrity of the application with no impact on availability.
Title Cross-Site Scripting (XSS) vulnerability in SAP Wily Introscope Enterprise Manager
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sap Introscope Enterprise Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-06-09T14:32:19.332Z

Reserved: 2026-05-07T18:31:04.067Z

Link: CVE-2026-44757

cve-icon Vulnrichment

Updated: 2026-06-09T14:32:15.833Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T01:16:47.337

Modified: 2026-06-09T02:08:28.150

Link: CVE-2026-44757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:00:14Z

Weaknesses