Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.
AnalysisAI
Reflected cross-site scripting (XSS) in SAP BusinessObjects Business Intelligence allows authenticated attackers to inject malicious JavaScript via crafted URLs that execute in victim browsers, potentially exposing restricted information. The vulnerability requires user interaction (clicking a malicious link) and affects only confidentiality with a CVSS score of 4.1 (low severity). No public exploit code or active exploitation has been identified.
Technical ContextAI
This is a classic reflected XSS vulnerability (CWE-79) in a web application. The SAP BusinessObjects Business Intelligence platform fails to properly sanitize or encode user-supplied input in URL parameters before reflecting them back into HTML/JavaScript context. The vulnerability is rendered in the browser with the victim's session privileges, allowing JavaScript execution within the security context of the application. Since the CVSS vector shows PR:L, the attacker must already possess valid application credentials, limiting the attack surface to insider threats or compromised accounts. The attack vector is network-based (AV:N) with low complexity (AC:L), meaning exploitation requires no special conditions beyond crafting a URL.
RemediationAI
Apply the patch provided by SAP as referenced in SAP Note 3698216 and announced on the SAP Security Patch Day portal (https://url.sap/sapsecuritypatchday). The exact patched version should be identified from the SAP advisory. As an interim workaround, restrict sharing of untrusted URLs within the application, educate users not to click links from untrusted sources, and implement a Content Security Policy (CSP) header to limit JavaScript execution scope. Additionally, enforce URL encoding and input validation at the application layer to prevent reflected XSS.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22156
GHSA-wm9q-282x-pcmx