CVE-2026-27683

Vulnerability

Overview

CVE-2026-27683 is a stored/reflected cross-site scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence application. An authenticated attacker can inject malicious JavaScript payloads through specially crafted URLs. When a victim accesses such a URL, the script executes in the user's browser, potentially exposing restricted information. The root cause lies in insufficient sanitization of URL parameters or input fields within the application [1].

Exploitation

To exploit this vulnerability, an attacker must first be authenticated to the SAP BusinessObjects BI system. The attack vector is network-based, requiring the victim to click on a crafted link. No special privileges beyond standard user authentication are needed. The attacker can craft URLs containing malicious JavaScript that, when rendered by the victim's browser, executes in the context of the application's session [1

Impact

Successful exploitation results in a low impact on confidentiality, meaning the attacker may gain access to restricted information visible in the victim's session. There is no impact on integrity or availability. The vulnerability does not allow direct modification of data or denial of service. The CVSS v3 base score is 4.1 (Medium), reflecting the limited scope and prerequisites [1

Mitigation

SAP has released security patches as part of its regular Security Patch Day. Customers are advised to apply the relevant SAP Security Notes for their version. No workarounds are documented; upgrading to the patched version is the recommended action. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication [1].