Skip to main content

SAP Business Server Pages CVE-2026-40137

| EUVDEUVD-2026-29364 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-12 sap GHSA-qx93-pqj3-crqc
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:17 vuln.today
CVE Published
May 12, 2026 - 02:23 nvd
MEDIUM 6.1

DescriptionCVE.org

SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.

AnalysisAI

SAP Business Server Pages TAF_APPLAUNCHER contains a cross-site scripting vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to attacker-controlled sites, potentially exposing or altering sensitive information. The vulnerability requires user interaction (clicking the link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been publicly confirmed at time of analysis.

Technical ContextAI

The vulnerability is a reflected cross-site scripting (XSS) flaw in the TAF_APPLAUNCHER component within SAP Business Server Pages, a web application framework used in SAP systems. CWE-79 indicates improper neutralization of input during web page generation, meaning user-supplied data is not adequately sanitized before being reflected back to the browser. The attack vector is network-based (AV:N) with low complexity (AC:L), requiring no authentication (PR:N) but necessitating user interaction (UI:R). The scope is changed (S:C), indicating the vulnerability can affect resources beyond the vulnerable component itself, such as redirecting to external sites or injecting malicious content into the user's session context.

RemediationAI

Apply the security patch released by SAP for Business Server Pages TAF_APPLAUNCHER as documented in SAP Security Note 3727717 and SAP Security Patch Day guidance (https://url.sap/sapsecuritypatchday). The primary remediation is to upgrade to the patched version provided by SAP; exact version numbers are not specified in available data and must be verified through the referenced SAP advisories. As an interim compensating control while patching is deployed, restrict user access to Business Server Pages applications to trusted internal networks only, use URL filtering or security proxies to block suspicious external redirects, and educate end users not to click links from untrusted sources - however, these controls do not eliminate the vulnerability itself and should be considered temporary measures only. Organizations heavily reliant on TAP_APPLAUNCHER may experience temporary operational impact during patching windows; coordinate patch deployment with change management to minimize user-facing disruption.

Share

CVE-2026-40137 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy