Skip to main content

SAP CRM WebClient CVE-2026-44768

| EUVDEUVD-2026-43592 MEDIUM
External Control of System or Configuration Setting (CWE-15)
2026-07-14 sap GHSA-xfxh-3p9c-mww9
4.1
CVSS 3.1 · Vendor: sap
Share

Severity by source

Vendor (sap) PRIMARY
4.1 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
vuln.today AI
4.1 MEDIUM

Authenticated low-privilege account required (PR:L), victim interaction mandatory (UI:R), browser scope change applies (S:C); description confirms no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (sap).

CVSS VectorVendor: sap

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 14, 2026 - 01:21 vuln.today

DescriptionCVE.org

SAP CRM WebClient UI allows an attacker to inject and execute malicious scripts in the context of the application due to the absence of a Content Security Policy (CSP) configuration for certain restrictive directives. This vulnerability has a low impact on the integrity of the application. Confidentiality and availability are not impacted.

AnalysisAI

Script injection in SAP CRM WebClient UI is enabled by absent Content Security Policy (CSP) directives for certain restrictive headers, allowing an authenticated low-privileged attacker to inject malicious JavaScript that executes in a victim user's browser session. The CVSS vector (PR:L/UI:R/S:C) confirms this requires both an authenticated attacker and victim interaction, with a cross-scope impact consistent with browser-context script execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to SAP CRM with low-privilege account
Delivery
Inject malicious script into CRM content or record
Exploit
Socially engineer victim user to view injected content
Execution
Browser renders content without CSP restriction
Persist
Script executes in victim browser session
Impact
Limited integrity manipulation within victim context

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid low-privileged SAP CRM account, as confirmed by CVSS PR:L - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.1 (Medium) accurately reflects the constrained impact profile: while the attack is network-reachable and low-complexity (AV:N/AC:L), it requires an authenticated low-privileged account (PR:L) and mandatory victim interaction (UI:R), introducing two meaningful friction points. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privileged SAP CRM user injects a malicious script payload into a CRM record, activity, or shareable link within the WebClient UI. When a victim user with a valid session navigates to or interacts with that content, the browser executes the script without CSP restriction, potentially enabling session manipulation, UI redirection, or limited data modification within the victim's browser context. …
Remediation Apply the corrective measures detailed in SAP Security Note 3155685 (https://me.sap.com/notes/3155685), which addresses the absent CSP configuration in SAP CRM WebClient UI. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44768 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy