CVE-2022-26101
Description
Fiori launchpad versions 754-756 contain a reflected XSS vulnerability due to insufficient encoding of user inputs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fiori launchpad versions 754-756 contain a reflected XSS vulnerability due to insufficient encoding of user inputs.
Vulnerability
The SAP Fiori launchpad (versions 754, 755, 756) does not properly encode user-controlled inputs, allowing an attacker to inject arbitrary HTML and JavaScript [1]. This is a reflected Cross-Site Scripting (XSS) vulnerability.
Exploitation
An attacker can craft a malicious URL containing the payload. The victim must be logged into the Fiori launchpad and click the link. No special network position or authentication beyond the victim's session is required [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or data theft within the Fiori application.
Mitigation
SAP has released security notes (e.g., note 3084327) to address this issue. Users should apply the latest patches as provided by SAP. As of the publication date, no workaround is available [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 754, 755, 756
- SAP SE/Fiori Launchpadv5Range: < 754
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- packetstormsecurity.com/files/167561/SAP-Fiori-Launchpad-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2022/Jun/39mitremailing-listx_refsource_FULLDISC
- dam.sap.com/mac/embed/public/pdf/a/ucQrx6G.htmmitrex_refsource_MISC
- launchpad.support.sap.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.