Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
URL parameter delivery requires no privileges; victim page load is mandatory (UI:R); CSS injection crosses into victim page scope (S:C); no availability impact applies.
Primary rating from Vendor (sap).
CVSS VectorVendor: sap
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
setThemeRoot() failed to enforce the sap-allowed-theme-origins allowlist. An attacker-controlled absolute cross-origin URL could be stored and used directly to construct a <link rel=stylesheet> element, even when no <meta name=sap-allowed-theme-origins> tag was present in the document. The same bypass was reachable via the ?sap-themeRoot URL parameter.Exploitation requires attacker-influenced input (e.g., a URL query parameter, tenant configuration, or user-supplied setting) to reach setThemeRoot(). A successful exploit allows an attacker to inject arbitrary CSS into the victim page, enabling:- UI redressing and clickjacking- Phishing overlays- Visual defacement- Limited data exfiltration via CSS attribute selectors targeting predictable DOM content
AnalysisAI
CSS stylesheet injection in SAP @ui5/webcomponents-base allows unauthenticated remote attackers to load arbitrary cross-origin stylesheets into victim pages by bypassing the sap-allowed-theme-origins allowlist enforcement inside setThemeRoot(). The ?sap-themeRoot URL query parameter is a direct delivery vector, making socially-engineered exploitation trivial - no authentication is required from the attacker (CVSS PR:N), only a victim page load (UI:R). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires attacker-influenced input to reach setThemeRoot() - the most accessible path is the ?sap-themeRoot URL query parameter, which requires only that a victim load an attacker-crafted URL (no server-side access or authentication by the attacker required; CVSS PR:N confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.1 (Medium) is broadly appropriate: the scope-changed metric (S:C) reflects that injected CSS affects the entire victim page beyond the component itself, but the limited C:L/I:L impacts and mandatory user interaction (UI:R) keep severity below high. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to a target SAP Fiori or UI5-based application, appending ?sap-themeRoot=https://attacker.example.com/evil/ where the attacker hosts a malicious CSS file, and delivers it to a victim via phishing email - a plausible vector since SAP application links are routinely shared in enterprise workflows. When the victim loads the URL, setThemeRoot() processes the parameter, bypasses the allowlist check, constructs a <link rel=stylesheet> pointing to the attacker's server, and the browser silently fetches the malicious stylesheet. … |
| Remediation | The primary fix is to apply the patched release of @ui5/webcomponents-base referenced in GitHub Security Advisory GHSA-p8gx-753q-v89p (https://github.com/UI5/webcomponents/security/advisories/GHSA-p8gx-753q-v89p) and the SAP Security Patch Day advisory (https://url.sap/sapsecuritypatchday); upstream fix available (PR/commit), but the exact released patched version is not independently confirmed from available data - consult the advisories directly to identify the correct target version before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43597
GHSA-5hp5-q35j-vjpg