Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected.
AnalysisAI
Reflected Cross-Site Scripting (XSS) in SAP Supplier Relationship Management (SRM) SICF Handler allows unauthenticated remote attackers to craft malicious URLs that, when accessed by victims, execute arbitrary JavaScript within their browsers. Successful exploitation enables attackers to steal session credentials, modify procurement data, or perform actions on behalf of authenticated users, affecting confidentiality and integrity of SRM operations. The vulnerability carries a CVSS score of 6.1 with moderate real-world risk due to required user interaction and cross-origin constraints, though no public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability exists in SAP's Internet Communication Framework (SICF) handler component used by the SRM Catalog module. SICF is SAP's HTTP request routing and authentication mechanism for web-based applications running on the NetWeaver platform. The flaw stems from inadequate input validation and output encoding of user-supplied parameters in HTTP requests processed by the SICF handler, which maps to CWE-79 (Improper Neutralization of Input During Web Page Generation). When an attacker crafts a URL containing unescaped malicious script payloads (typically in query parameters or request bodies), the handler fails to sanitize or HTML-encode these inputs before reflecting them back in the HTTP response. Since SICF processes requests before application-level authentication, the handler itself can be exploited without valid SAP credentials. The reflected nature of the XSS means the payload must be delivered via a crafted URL, making this a client-side vulnerability that depends on victim interaction.
RemediationAI
Apply the vendor-released security patch provided by SAP for the SRM Catalog component via the official SAP Security Patch Day (https://url.sap/sapsecuritypatchday) and reference SAP Note 3645228 (https://me.sap.com/notes/3645228) for detailed patch instructions, version mapping, and implementation steps. As an interim workaround pending patch deployment, disable or restrict HTTP access to the affected SICF handler endpoints using SAP's SICF transaction (SICF_TRANSACTIONS_SM54) to limit exposure to external users, implement network-level protections to block untrusted traffic to SRM Catalog URLs, and educate end-users to avoid clicking suspicious links or URLs from external sources. Verify that all SAP Catalogs and related modules have been updated and restart relevant SAP instances after patching to ensure the fix is active.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22138