CVE-2026-0499

Vulnerability

Description CVE-2026-0499 is a reflected cross-site scripting (XSS) vulnerability in the SAP NetWeaver Enterprise Portal. The root cause is improper sanitization of a URL parameter, allowing an unauthenticated attackers can inject arbitrary JavaScript into the parameter value. When a user visits the crafted URL, the server reflects the malicious script in the response, which then executes in the user's browser [1].

Exploitation

Requirements No authentication is required to exploit this vulnerability. An attacker only needs to trick a victim into clicking a specially crafted link, for example through a phishing email or by embedding the link on a third-party site. The XSS is reflected, meaning the malicious payload is not stored on the server but is delivered via the URL itself.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session on the vulnerable portal. This can lead to theft of session cookies or other sensitive information, manipulation of portal content displayed to the victim, or redirection to malicious sites. The official description notes low impact on confidentiality and integrity, with no impact on availability [1].

Mitigation

SAP has released a security patch as part of its monthly Patch Day. Customers are advised to apply the corresponding SAP Security Note on SAP for Me. No workarounds have been published; updating to the patched version is the recommended action [1].