CVE-2026-27682

MEDIUM

SAP NetWeaver AS ABAP Business Server Pages - Reflected Cross-Site Scripting

Title source: manual
STIX 2.1

Description

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

Scores

CVSS v3 4.7
EPSS 0.0022
EPSS Percentile 12.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (32)
sap/netweaver_application_server_abap 700
sap/netweaver_application_server_abap 701
sap/netweaver_application_server_abap 702
sap/netweaver_application_server_abap 731
sap/netweaver_application_server_abap 740
sap/netweaver_application_server_abap 750
sap/netweaver_application_server_abap 751
sap/netweaver_application_server_abap 752
sap/netweaver_application_server_abap 753
sap/netweaver_application_server_abap 754
... and 22 more
Published May 12, 2026
Tracked Since May 12, 2026