CVE-2025-26662

Vulnerability

Description

The Data Services Management Console component of SAP Data Services does not sufficiently encode user-controlled inputs. This flaw allows an attacker to inject arbitrary JavaScript code into the application's response [1]. The root cause is the lack of proper output encoding or sanitization of user-supplied data before it is rendered in the browser.

Exploitation

An attacker can craft a malicious link that, when clicked by a victim who is already authenticated to the Management Console, triggers the execution of the injected script within the victim's browser session. No additional authentication is required from the attacker, but the victim must be logged in. The attack vector is over the network, and user interaction (the click) is necessary.

Impact

Successful exploitation leads to compromise of confidentiality and integrity. The attacker could read sensitive data displayed in the browser, perform actions on behalf of the victim, or modify settings within the Management Console. Availability is not affected. The CVSS v3 base score is 4.4 (Medium).

Mitigation

SAP has addressed this vulnerability with a security note released as part of its regular Security Patch Day [1]. Users are strongly advised to apply the provided patch to their Data Services installations. No workarounds are documented.