Skip to main content

SAP NetWeaver Application Server ABAP CVE-2026-27682

| EUVDEUVD-2026-29370 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-12 sap GHSA-xj8w-vw8m-px5f
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:15 vuln.today
CVE Published
May 12, 2026 - 02:19 nvd
MEDIUM 4.7

DescriptionCVE.org

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

AnalysisAI

Reflected cross-site scripting (XSS) in SAP NetWeaver Application Server ABAP (Business Server Pages) allows unauthenticated attackers to inject malicious scripts via unprotected URL parameters. Successful exploitation requires victim interaction (clicking a crafted link) and affects confidentiality and integrity of application data. No public exploit code or active exploitation reported at time of analysis.

Technical ContextAI

SAP NetWeaver Application Server ABAP uses Business Server Pages (BSP) for web application development. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), where user-supplied input in URL parameters is not properly sanitized or encoded before being rendered in HTML responses. The affected CPE indicates all versions of the ABAP application server with Business Server Pages functionality are potentially vulnerable. The attack vector is network-based (AV:N) but requires high complexity (AC:H) due to user interaction (UI:R) prerequisite, suggesting the vulnerability may depend on specific parameter handling or browser behavior.

RemediationAI

Apply the security patch provided by SAP via the referenced security patch day advisory (https://url.sap/sapsecuritypatchday) and consult the detailed note at https://me.sap.com/notes/3728690 for exact patch versions and deployment instructions. Pending patch deployment, implement input validation and output encoding controls at the application level: enforce strict allowlist validation on all URL parameters used in BSP page generation, apply HTML entity encoding to all user-supplied data before rendering in HTML context, and deploy Web Application Firewall (WAF) rules to block requests containing common XSS payloads (e.g., script tags, event handlers). Additionally, configure Content Security Policy (CSP) headers to restrict inline script execution, limiting the impact of successfully injected payloads. Consider disabling or restricting access to vulnerable BSP endpoints if business requirements permit.

Share

CVE-2026-27682 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy