Skip to main content

SAP NetWeaver Application Server ABAP CVE-2026-27680

| EUVDEUVD-2026-30363 LOW
Incorrect Default Permissions (CWE-276)
2026-05-14 sap GHSA-4wqv-v86p-8q8g
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 19:31 vuln.today
CVE Published
May 14, 2026 - 18:33 nvd
LOW 3.1

DescriptionCVE.org

Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result, the issue has a low impact on confidentiality, while integrity and availability are not impacted.

AnalysisAI

CSS injection in SAP NetWeaver Application Server ABAP allows unauthenticated remote attackers to inject malicious Cascading Style Sheets into web pages served by the application, with exploitation requiring user interaction (clicking or accessing the affected page). The injected CSS executes in the victim's browser context, resulting in low-impact confidentiality loss; integrity and availability are not affected. CVSS 3.1 reflects the limited impact and high attack complexity required.

Technical ContextAI

SAP NetWeaver Application Server ABAP is an enterprise resource planning (ERP) platform that serves web-based administrative and business interfaces. The vulnerability stems from improper input validation and sanitization of CSS data before it is rendered in HTTP responses to users. This is fundamentally a reflected or stored CSS injection flaw (related to CWE-276: Incorrect Default File Permissions), allowing an attacker to craft malicious CSS payloads that bypass input validation checks. When a user accesses a web page containing the injected CSS, the browser executes the CSS rules, potentially enabling style-based attacks such as form hijacking, information disclosure through pseudo-elements, or UI redressing.

RemediationAI

Organizations must apply the security patch released by SAP for NetWeaver Application Server ABAP; specific patched version numbers should be identified from SAP Security Patch Day (https://url.sap/sapsecuritypatchday) and SAP Note 3665042 (https://me.sap.com/notes/3665042) matching your installed version. As a compensating control pending patch deployment, restrict web access to SAP NetWeaver ABAP administrative interfaces to trusted internal networks only, using firewall rules or VPN enforcement-this eliminates the network attack vector (AV:N) by requiring physical access to trusted networks. Additionally, educate users against clicking links in untrusted communications that reference SAP NetWeaver pages, as user interaction (UI:R) is a prerequisite for exploitation; this reduces attack surface without technical changes. Input validation and output encoding should be verified for CSS-related parameters in custom ABAP code accessing the vulnerable components; however, this is a product flaw requiring vendor patches for complete remediation.

Share

CVE-2026-27680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy