CVE-2026-44746

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the JDBC Test Servlet component of SAP NetWeaver JAVA. This issue affects unauthenticated users. The vulnerability is triggered when an attacker crafts a URL containing malicious script input, which is then processed during web page generation.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL and tricking a victim into clicking it. The attacker does not require any special privileges or network position beyond being able to send a URL to the victim. User interaction is required in the form of the victim clicking the crafted link.

Impact

Successful exploitation allows an attacker to execute arbitrary malicious content within the victim's browser. This can lead to the access and/or modification of information related to the web client, impacting the confidentiality and integrity of the application. There is no impact on availability.

Mitigation

SAP regularly releases security corrections via SAP Security Notes on their SAP Security Patch Day, scheduled for the second Tuesday of every month [1]. Customers are advised to implement these corrections at a priority. Specific details regarding the fixed version and release date for this particular vulnerability are not yet disclosed in the available references, but SAP Security Notes with low or medium priority contain corrections in at least the newest support package in all mainstream and extended maintenance releases [1].