Skip to main content

SAP EUVDEUVD-2026-22156

| CVE-2026-27683 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-14 cna@sap.com GHSA-wm9q-282x-pcmx
4.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.1 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 00:25 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 00:22 euvd
EUVD-2026-22156
Analysis Generated
Apr 14, 2026 - 00:22 vuln.today
CVE Published
Apr 14, 2026 - 00:16 nvd
MEDIUM 4.1

DescriptionCVE.org

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.

AnalysisAI

Reflected cross-site scripting (XSS) in SAP BusinessObjects Business Intelligence allows authenticated attackers to inject malicious JavaScript via crafted URLs that execute in victim browsers, potentially exposing restricted information. The vulnerability requires user interaction (clicking a malicious link) and affects only confidentiality with a CVSS score of 4.1 (low severity). No public exploit code or active exploitation has been identified.

Technical ContextAI

This is a classic reflected XSS vulnerability (CWE-79) in a web application. The SAP BusinessObjects Business Intelligence platform fails to properly sanitize or encode user-supplied input in URL parameters before reflecting them back into HTML/JavaScript context. The vulnerability is rendered in the browser with the victim's session privileges, allowing JavaScript execution within the security context of the application. Since the CVSS vector shows PR:L, the attacker must already possess valid application credentials, limiting the attack surface to insider threats or compromised accounts. The attack vector is network-based (AV:N) with low complexity (AC:L), meaning exploitation requires no special conditions beyond crafting a URL.

RemediationAI

Apply the patch provided by SAP as referenced in SAP Note 3698216 and announced on the SAP Security Patch Day portal (https://url.sap/sapsecuritypatchday). The exact patched version should be identified from the SAP advisory. As an interim workaround, restrict sharing of untrusted URLs within the application, educate users not to click links from untrusted sources, and implement a Content Security Policy (CSP) header to limit JavaScript execution scope. Additionally, enforce URL encoding and input validation at the application layer to prevent reflected XSS.

Share

EUVD-2026-22156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy