CVE-2026-27682
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
12/05/2026
Last modified:
03/06/2026
Description
Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.
Impact
Base Score 3.x
4.70
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:sap_basis:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:816:*:*:*:sap_basis:*:*:* |
To consult the complete list of CPE names with products and versions, see this page



