CVE-2026-27682
Analyzed Analyzed - Analysis Complete
Reflected XSS in SAP NetWeaver Application Server ABAP

Publication date: 2026-05-12

Last updated on: 2026-06-03

Assigner: SAP SE

Description
Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victimοΏ½s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-06-03
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-27682
EUVD
EUVD-2026-29370
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
sap netweaver_application_server_abap 702
sap netweaver_application_server_abap 700
sap netweaver_application_server_abap 701
sap netweaver_application_server_abap 731
sap netweaver_application_server_abap 740
sap netweaver_application_server_abap 750
sap netweaver_application_server_abap 751
sap netweaver_application_server_abap 752
sap netweaver_application_server_abap 753
sap netweaver_application_server_abap 754
sap netweaver_application_server_abap 755
sap netweaver_application_server_abap 756
sap netweaver_application_server_abap 757
sap netweaver_application_server_abap 758
sap netweaver_application_server_abap 816
sap netweaver_application_server_abap 918
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a reflected cross-site scripting (XSS) issue in SAP NetWeaver Application Server ABAP, specifically in applications based on Business Server Pages. An attacker who is not authenticated can create a specially crafted URL that includes malicious script code within an unprotected URL parameter. When a victim clicks this URL, the malicious script is executed in the victim's browser during the web page generation process.

Impact Analysis

The impact of this vulnerability includes the attacker being able to execute malicious scripts in the victim's browser context. This can lead to unauthorized access to or modification of information within the affected application, thereby compromising the confidentiality and integrity of the data. However, this vulnerability does not affect the availability of the application.

Detection Guidance

This vulnerability can be detected by identifying attempts to exploit reflected cross-site scripting (XSS) in SAP NetWeaver Application Server ABAP by monitoring for suspicious URLs containing unprotected parameters with embedded scripts.

Common detection methods include analyzing web server logs for unusual URL parameters or payloads that contain script tags or JavaScript code.

Specific commands or tools to detect such activity are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include avoiding clicking on suspicious links that may exploit the vulnerability and applying any available patches or updates from SAP for the NetWeaver Application Server ABAP.

Since the vulnerability involves unprotected URL parameters, implementing input validation and output encoding on the affected application can help prevent script injection.

No specific mitigation commands or detailed steps are provided in the available resources.

Compliance Impact

This vulnerability allows an attacker to execute malicious scripts in the victim's browser, potentially accessing and modifying information, which impacts the confidentiality and integrity of the application.

Such impacts on confidentiality and integrity could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining data integrity.

However, the provided information does not explicitly state the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27682. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart