CVE-2025-26653

Vulnerability

Overview

CVE-2025-26653 is a stored cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP. The root cause is insufficient encoding of user-controlled inputs, which allows an attacker to inject arbitrary JavaScript code that persists on the server and is later rendered in the browser of any user visiting the affected page [1].

Exploitation

No authentication or special privileges are required to exploit this vulnerability. An attacker can deliver the malicious payload through any exposed input field that is stored and later displayed, without needing to bypass access controls. The attack succeeds when a victim (typically a legitimate user of the SAP system) navigates to the compromised page, causing the injected script to execute in the context of the victim's session [1].

Impact

Successful exploitation compromises the confidentiality and integrity of data within the victim's browser, as the attacker can perform actions such as session hijacking, data exfiltration, or UI redressing. The vulnerability does not affect the availability of the underlying SAP system [1].

Mitigation

SAP has addressed this issue by releasing the appropriate security note. Users are strongly advised to implement the latest security patches, which are available via the SAP Security Patch Day process [1].