CVE-2026-24323

MEDIUM

BSP - XSS

Title source: llm

Description

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.

References (2)

[Permissions Required] https://me.sap.com/notes/3678417

[Vendor Advisory] https://url.sap/sapsecuritypatchday

Scores

CVSS v3 6.1

EPSS 0.0002

EPSS Percentile 4.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-601

Status published

Affected Products (15)

sap/document_management_system

sap/erp

sap/s4core

Timeline

Published Feb 10, 2026

Tracked Since Feb 18, 2026