VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Aug 12, 2025· Updated Apr 15, 2026

CVE-2025-42942

CVE-2025-42942

Description

SAP NetWeaver Application Server for ABAP has cross-site scripting vulnerability. Due to this, an unauthenticated attacker could craft a URL embedded with malicious script and trick an unauthenticated victim to click on it to execute the script. Upon successful exploitation, the attacker could access and modify limited information within the scope of victim's browser. This vulnerability has no impact on availability of the application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SAP NetWeaver AS for ABAP is vulnerable to reflected XSS, allowing an unauthenticated attacker to execute malicious scripts in a victim's browser, compromising limited data confidentiality and integrity.

Vulnerability

CVE-2025-42942 is a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP. The issue arises from insufficient input validation in URL handling, allowing an attacker to inject arbitrary JavaScript that executes in the victim's browser context.

Exploitation

An unauthenticated attacker can craft a malicious URL containing the injected script and lure an unauthenticated victim into clicking it, typically via phishing or social engineering. No prior authentication or network access is required; the attack relies on the victim's browser rendering the malicious payload.

Impact

Successful exploitation enables the attacker to access and modify limited information within the victim's browser session, such as session tokens, cookies, or displayed content. The attack does not affect the availability of the application.

Mitigation

SAP has addressed this vulnerability through security notes released on the SAP Security Patch Day (second Tuesday of each month) [1]. Customers are strongly advised to apply the relevant patches to protect against exploitation.

References
  1. SAP Security Notes & News

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.