Skip to main content

SAPUI5 Search UI EUVDEUVD-2026-29368

| CVE-2026-34258 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-05-12 sap GHSA-jv4p-cjwp-g497
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 03:15 vuln.today
CVE Published
May 12, 2026 - 02:19 nvd
MEDIUM 4.7

DescriptionCVE.org

SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.

AnalysisAI

SAPUI5 Search UI allows unauthenticated attackers to manipulate URL parameters to inject malicious content, potentially deceiving users into accessing attacker-controlled pages. The vulnerability requires user interaction (clicking a crafted link) and has low confidentiality impact with no effect on integrity or availability. No active exploitation has been confirmed at the time of this analysis.

Technical ContextAI

SAPUI5 is SAP's UI development framework built on OpenUI5. The Search UI component is vulnerable to insufficient URL parameter sanitization, allowing an attacker to inject arbitrary content into pages rendered by the application. This falls under CWE-451 (User Interface (UI) Misrepresentation of Critical Information), which covers cases where UI elements are manipulated to mislead users. The vulnerability affects the SAPUI5 Search UI across all versions indicated by the CPE (cpe:2.3:a:sap_se:sapui5_(search_ui):*:*:*:*:*:*:*:*), suggesting the flaw is systemic to the component rather than version-specific.

RemediationAI

Organizations should apply patches released by SAP as detailed in SAP Note 3726583 and SAP Security Patch Day (https://url.sap/sapsecuritypatchday). Since this is a UI parameter injection vulnerability, the patch likely includes input validation and encoding of URL parameters before rendering in the Search UI. Until patching is possible, implement compensating controls such as Content Security Policy (CSP) headers to restrict script execution from injected content, validate all user-supplied URL parameters on the client side, and educate users to verify URL authenticity before clicking links that access the Search UI. Note that CSP implementation may impact application functionality if not carefully scoped, and client-side validation alone is insufficient against sophisticated attackers who can craft HTTPS URLs. No workarounds have been identified in the available intelligence; patching is the primary remediation path.

Share

EUVD-2026-29368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy