Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the user�s browser within the context of the application. This issue has a low impact on the confidentiality and integrity of the application with no impact on availability.
AnalysisAI
Reflected cross-site scripting in SAP Wily Introscope Enterprise Manager allows an unauthenticated remote attacker to craft a malicious URL that, when accessed by a victim user, executes injected JavaScript within the application's browser context. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms network-reachable delivery requiring no attacker credentials, but demands both high attack complexity and victim interaction, capping real-world exploitability. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a lower-urgency tier despite the cross-scope impact.
Technical ContextAI
SAP Wily Introscope Enterprise Manager is an Application Performance Management (APM) platform widely used in enterprise Java environments for transaction monitoring and diagnostics. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), specifically a reflected XSS variant in which attacker-controlled input embedded in the URL is echoed into the HTTP response without adequate sanitization or output encoding. The Changed Scope designation (S:C) in the CVSS vector is technically significant: it confirms that the injected script executes in the victim's browser security context rather than the server's, crossing trust boundaries from the web application into the client environment. No CPE strings were provided in the input data, so exact version ranges must be derived from SAP Security Note 3715280.
RemediationAI
Apply the vendor-supplied fix documented in SAP Security Note 3715280, available at https://me.sap.com/notes/3715280 and announced via SAP Security Patch Day at https://url.sap/sapsecuritypatchday. The exact patched version number is not independently confirmed from available data - consult the SAP note directly for version-specific guidance. As a compensating control prior to patching, restrict access to the Introscope Enterprise Manager web interface to trusted internal network segments or require VPN access; this directly reduces attacker reach given the social-engineering delivery vector. Deploying a Web Application Firewall with reflected XSS filtering rules targeting the Enterprise Manager endpoint can detect or block crafted URL payloads, though WAF bypass risk should be acknowledged. Educating APM administrators and developers - the likely victim pool - about phishing URLs targeting internal tooling can reduce the UI:R dependency that attackers require.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35288
GHSA-54r5-565w-54gg