Description
SAP CRM WebClient UI allows an attacker to inject and execute malicious scripts in the context of the application due to the absence of a Content Security Policy (CSP) configuration for certain restrictive directives. This vulnerability has a low impact on the integrity of the application. Confidentiality and availability are not impacted.
Published: 2026-07-14
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject and execute malicious scripts within the SAP CRM WebClient UI because the application lacks a properly configured Content Security Policy. The absence of restrictive CSP directives permits client‑side script execution, which can tamper with the integrity of the application’s data or interface, although it does not affect confidentiality or availability. The weakness is identified as improper restriction of operations.

Affected Systems

SAP SE’s SAP CRM WebClient UI is affected. No specific version information is provided, so any deployment of this product should be examined for the missing CSP configuration.

Risk and Exploitability

With a CVSS score of 4.1, the severity is low. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a web page or component served by the WebClient UI; an attacker with access to the application could supply a malicious script payload via input fields or URLs. Exploitation requires the presence of the vulnerable UI and the absence of a blocking CSP policy.

Generated by OpenCVE AI on July 14, 2026 at 12:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure a restrictive Content Security Policy for the SAP CRM WebClient UI, ensuring that directives such as script-src only allow trusted sources.
  • Apply the latest SAP security updates or patches that address the CSP misconfiguration, as referenced in SAP Note 3155685.
  • If a patch is unavailable, restrict or disable the components that allow arbitrary script injection in the WebClient UI to reduce the attack surface.

Generated by OpenCVE AI on July 14, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
Description SAP CRM WebClient UI allows an attacker to inject and execute malicious scripts in the context of the application due to the absence of a Content Security Policy (CSP) configuration for certain restrictive directives. This vulnerability has a low impact on the integrity of the application. Confidentiality and availability are not impacted.
Title Security misconfiguration in SAP CRM (WebClient UI)
Weaknesses CWE-15
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-07-14T12:48:49.816Z

Reserved: 2026-05-07T18:39:44.147Z

Link: CVE-2026-44768

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T13:00:04Z

Weaknesses
  • CWE-15

    External Control of System or Configuration Setting