Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server...

4.7 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

Basic Information

ID CVE-2026-27682

Source sap

Published May 12, 2026 at 02:19

Affected Product

Vendor SAP_SE

Product SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)

Version SAP_BASIS 700

Affected Versions SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 700
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 701
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 702
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 731
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 740
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 750
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 751
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 752
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 753
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 754
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 755
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 756
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 757
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 758
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 816
SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 918

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim\ufffds browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.",
    "published": "2026-05-12T02:19:26.976Z",
    "modified": "2026-05-12T02:19:26.976Z",
    "type": "cve",
    "title": "Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)",
    "source": "sap",
    "references": "https://me.sap.com/notes/3728690\nhttps://url.sap/sapsecuritypatchday",
    "id": "CVE-2026-27682",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 700\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 701\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 702\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 731\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 740\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 750\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 751\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 752\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 753\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 754\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 755\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 756\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 757\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 758\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 816\nSAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 918",
    "sourceHref": "",
    "cvss": {
        "score": 4.7,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)",
    "version": "SAP_BASIS 700",
    "vendor": "SAP_SE",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)_CVE-2026-27682