CVE-2026-24323
Undergoing Analysis
Undergoing Analysis - In Progress
Cross-Site Scripting in BSP Applications via Unsanitized URL Parameters
Publication date: 2026-02-10
Last updated on: 2026-02-17
Assigner: SAP SE
Description
Description
The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victimοΏ½s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | erp | 618 |
| sap | s4core | 102 |
| sap | s4core | 103 |
| sap | s4core | 104 |
| sap | s4core | 105 |
| sap | s4core | 106 |
| sap | s4core | 107 |
| sap | s4core | 108 |
| sap | document_management_system | 600 |
| sap | document_management_system | 603 |
| sap | document_management_system | 604 |
| sap | document_management_system | 605 |
| sap | document_management_system | 606 |
| sap | document_management_system | 617 |
| sap | document_management_system | 602 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
