VYPR
← All advisories
Medium severity4.7NVD Advisory· Published May 12, 2026· Updated May 12, 2026

CVE-2026-27682

CVE-2026-27682

Description

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in SAP NetWeaver AS ABAP (BSP-based apps) allows unauthenticated attackers to execute malicious scripts via crafted URL, impacting confidentiality and integrity.

Vulnerability

Overview

CVE-2026-27682 is a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP, specifically in applications based on Business Server Pages (BSP). The root cause is an unprotected URL parameter that is not properly sanitized during web page generation, allowing an attacker to inject arbitrary script code into the response [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL containing the injected script. The victim must click on the crafted link, which causes the injected input to be processed and reflected back in the browser context. No authentication or special network position is required; the attack is performed remotely via social engineering [1].

Impact

Successful exploitation enables the attacker to execute arbitrary script in the victim's browser, potentially accessing or modifying sensitive information within the application's context. This impacts the confidentiality and integrity of the affected SAP system, with no effect on availability [1].

Mitigation

SAP has addressed this vulnerability through its regular Security Patch Day process. Customers are advised to apply the relevant SAP Security Notes as provided in the vendor advisory [1]. Organizations should prioritize patching to mitigate the risk of XSS attacks.

References
  1. SAP Security Notes & News

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.