CVEFinder.io

CVE-2026-27682

๐Ÿ”ถ medium
๐Ÿ” Scan for this CVE
Summary

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim๏ฟฝs browser context. This could allow the attacker to access and/or modify informatio

Description

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim๏ฟฝs browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

CVSS Score
4.7
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-12
First Seen: 2026-06-04
๐Ÿ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 13.8% of all 330,193 vulnerabilities in our database.

#284,724
Below average severity
Severity Percentile
๐ŸŽฏ CISA SSVC Assessment Updated: May 12, 2026
๐Ÿ” Exploitation Status
None
No known exploits
โš™๏ธ Automatable
NO
Requires human interaction
๐Ÿ’ฅ Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-06-03
Source NVD ๐Ÿ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE IDs (Weakness Types)
CWE-79

๐Ÿ“ฆ Affected Products 16

Vendor Product Status Affected Versions
sap netweaver_application_server_abap Affected
v700
sap netweaver_application_server_abap Affected
v701
sap netweaver_application_server_abap Affected
v702
sap netweaver_application_server_abap Affected
v731
sap netweaver_application_server_abap Affected
v740
sap netweaver_application_server_abap Affected
v750
sap netweaver_application_server_abap Affected
v751
sap netweaver_application_server_abap Affected
v752
sap netweaver_application_server_abap Affected
v753
sap netweaver_application_server_abap Affected
v754
sap netweaver_application_server_abap Affected
v755
sap netweaver_application_server_abap Affected
v756
sap netweaver_application_server_abap Affected
v757
sap netweaver_application_server_abap Affected
v758
sap netweaver_application_server_abap Affected
v816
sap netweaver_application_server_abap Affected
v918

๐Ÿ”— References 2

https://me.sap.com/notes/3728690
Permissions Required
https://url.sap/sapsecuritypatchday
Vendor Advisory

๐Ÿ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-27680 โ„น๏ธ low 3.1 0.0 Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inj... 2026-05-14
CVE-2026-40135 ๐Ÿ”ถ medium 6.5 0.1 An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that all... 2026-05-12
CVE-2026-34257 ๐Ÿ”ถ medium 6.1 0.1 Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft ... 2026-04-14
CVE-2026-24309 ๐Ÿ”ถ medium 6.4 0.1 Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute... 2026-03-10
CVE-2026-24310 โ„น๏ธ low 3.5 0.0 Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute... 2026-03-10
CVE-2026-24316 ๐Ÿ”ถ medium 6.4 0.0 SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP reques... 2026-03-10
These CVEs affect the same products