CVE-2026-27682

Severity CVSS v4.0:
Pending analysis
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
12/05/2026
Last modified:
03/06/2026

Description

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:701:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:740:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:751:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:753:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:754:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:755:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:756:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:757:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:758:*:*:*:sap_basis:*:*:*
cpe:2.3:a:sap:netweaver_application_server_abap:816:*:*:*:sap_basis:*:*:*