SAP NetWeaver AS ABAP Memory Corruption and XSS
2026-07-14
Memory corruption in SAP NetWeaver Application Server ABAP lets an authenticated attacker exploit logical flaws in memory management (an out-of-bounds write) to read or alter data and crash the system, with high impact on confidentiality, integrity, and availability. SAP rates it CVSS 9.9 with a changed scope, meaning a low-privileged user can affect components beyond their own authorization boundary. There is no public exploit identified at time of analysis, but the low attack complexity and network reachability make it a high-priority patch for any exposed ABAP stack.
Reflected XSS in SAP NetWeaver Application Server ABAP's Business Server Pages (BSP) framework allows remote unauthenticated attackers to inject arbitrary JavaScript into HTTP responses when a victim user interacts with a crafted URL. Successful exploitation enables session token theft and execution of authenticated actions on behalf of the victim within the SAP web context. No public exploit code or CISA KEV listing is identified at time of analysis; CVSS AC:H indicates non-trivial conditions must align for successful delivery, moderating real-world risk despite the enterprise sensitivity of SAP environments.