CVE-2026-27682
Received Received - Intake
Reflected XSS in SAP NetWeaver Application Server ABAP

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: SAP SE

Description
Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victimοΏ½s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-05-12
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-27682
EUVD
EUVD-2026-29370
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sap netweaver_application_server_abap *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a reflected cross-site scripting (XSS) issue in SAP NetWeaver Application Server ABAP, specifically in applications based on Business Server Pages. An attacker who is not authenticated can create a specially crafted URL that includes malicious script code within an unprotected URL parameter. When a victim clicks this URL, the malicious script is executed in the victim's browser during the web page generation process.


How can this vulnerability impact me? :

The impact of this vulnerability includes the attacker being able to execute malicious scripts in the victim's browser context. This can lead to unauthorized access to or modification of information within the affected application, thereby compromising the confidentiality and integrity of the data. However, this vulnerability does not affect the availability of the application.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying attempts to exploit reflected cross-site scripting (XSS) in SAP NetWeaver Application Server ABAP by monitoring for suspicious URLs containing unprotected parameters with embedded scripts.

Common detection methods include analyzing web server logs for unusual URL parameters or payloads that contain script tags or JavaScript code.

Specific commands or tools to detect such activity are not provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding clicking on suspicious links that may exploit the vulnerability and applying any available patches or updates from SAP for the NetWeaver Application Server ABAP.

Since the vulnerability involves unprotected URL parameters, implementing input validation and output encoding on the affected application can help prevent script injection.

No specific mitigation commands or detailed steps are provided in the available resources.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart