CVE-2026-40137
Description
SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SAP TAF_APPLAUNCHER open redirect allows unauthenticated attackers to craft malicious links that redirect victims to attacker-controlled sites.
The vulnerability is an open redirect in the SAP TAF_APPLAUNCHER component of Business Server Pages. An unauthenticated attacker can craft a malicious link that, when clicked, redirects the victim to an external attacker-controlled site due to insufficient validation of redirect URLs.
Exploitation requires the victim to click on the crafted link, which can be delivered via email or other channels. No authentication or special network position is required.
The impact is low on confidentiality and integrity, as the attacker may obtain or alter sensitive information in the victim's browser session. Availability is not affected.
SAP has released security patches as part of its monthly Security Patch Day [1]. Users are advised to apply the latest SAP Security Notes to mitigate this vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.