Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
AnalysisAI
SAP Business Server Pages TAF_APPLAUNCHER contains a cross-site scripting vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to attacker-controlled sites, potentially exposing or altering sensitive information. The vulnerability requires user interaction (clicking the link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been publicly confirmed at time of analysis.
Technical ContextAI
The vulnerability is a reflected cross-site scripting (XSS) flaw in the TAF_APPLAUNCHER component within SAP Business Server Pages, a web application framework used in SAP systems. CWE-79 indicates improper neutralization of input during web page generation, meaning user-supplied data is not adequately sanitized before being reflected back to the browser. The attack vector is network-based (AV:N) with low complexity (AC:L), requiring no authentication (PR:N) but necessitating user interaction (UI:R). The scope is changed (S:C), indicating the vulnerability can affect resources beyond the vulnerable component itself, such as redirecting to external sites or injecting malicious content into the user's session context.
RemediationAI
Apply the security patch released by SAP for Business Server Pages TAF_APPLAUNCHER as documented in SAP Security Note 3727717 and SAP Security Patch Day guidance (https://url.sap/sapsecuritypatchday). The primary remediation is to upgrade to the patched version provided by SAP; exact version numbers are not specified in available data and must be verified through the referenced SAP advisories. As an interim compensating control while patching is deployed, restrict user access to Business Server Pages applications to trusted internal networks only, use URL filtering or security proxies to block suspicious external redirects, and educate end users not to click links from untrusted sources - however, these controls do not eliminate the vulnerability itself and should be considered temporary measures only. Organizations heavily reliant on TAP_APPLAUNCHER may experience temporary operational impact during patching windows; coordinate patch deployment with change management to minimize user-facing disruption.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29364
GHSA-qx93-pqj3-crqc