CVE-2026-40137
SAP TAF_APPLAUNCHER Open Redirect Vulnerability
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | taf_applauncher | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in SAP TAF_APPLAUNCHER within Business Server Pages. It allows an unauthenticated attacker to create malicious links that, when clicked by a victim, redirect the victim's browser to attacker-controlled websites.
This redirection can potentially expose or alter sensitive information in the victim's browser.
The impact on confidentiality and integrity is considered low, and there is no impact on the availability of the application.
How can this vulnerability impact me? :
If exploited, this vulnerability can cause a victim to be redirected to malicious websites controlled by an attacker.
This redirection may lead to exposure or alteration of sensitive information within the victim's browser.
The overall impact is low on confidentiality and integrity, and there is no impact on the availability of the affected application.