Skip to main content

SAP Wily Introscope EUVDEUVD-2026-35288

| CVE-2026-44757 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 cna@sap.com GHSA-54r5-565w-54gg
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 01:37 vuln.today

DescriptionCVE.org

SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the user�s browser within the context of the application. This issue has a low impact on the confidentiality and integrity of the application with no impact on availability.

AnalysisAI

Reflected cross-site scripting in SAP Wily Introscope Enterprise Manager allows an unauthenticated remote attacker to craft a malicious URL that, when accessed by a victim user, executes injected JavaScript within the application's browser context. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms network-reachable delivery requiring no attacker credentials, but demands both high attack complexity and victim interaction, capping real-world exploitability. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in a lower-urgency tier despite the cross-scope impact.

Technical ContextAI

SAP Wily Introscope Enterprise Manager is an Application Performance Management (APM) platform widely used in enterprise Java environments for transaction monitoring and diagnostics. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-Site Scripting), specifically a reflected XSS variant in which attacker-controlled input embedded in the URL is echoed into the HTTP response without adequate sanitization or output encoding. The Changed Scope designation (S:C) in the CVSS vector is technically significant: it confirms that the injected script executes in the victim's browser security context rather than the server's, crossing trust boundaries from the web application into the client environment. No CPE strings were provided in the input data, so exact version ranges must be derived from SAP Security Note 3715280.

RemediationAI

Apply the vendor-supplied fix documented in SAP Security Note 3715280, available at https://me.sap.com/notes/3715280 and announced via SAP Security Patch Day at https://url.sap/sapsecuritypatchday. The exact patched version number is not independently confirmed from available data - consult the SAP note directly for version-specific guidance. As a compensating control prior to patching, restrict access to the Introscope Enterprise Manager web interface to trusted internal network segments or require VPN access; this directly reduces attacker reach given the social-engineering delivery vector. Deploying a Web Application Firewall with reflected XSS filtering rules targeting the Enterprise Manager endpoint can detect or block crafted URL payloads, though WAF bypass risk should be acknowledged. Educating APM administrators and developers - the likely victim pool - about phishing URLs targeting internal tooling can reduce the UI:R dependency that attackers require.

Share

EUVD-2026-35288 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy