Stored Cross-Site Scripting in SAP NetWeaver Application Server ABAP
CVE-2025-26653

4.7MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Abap (applications Based On SAP Gui For Html)
Vendor: CVE Published:; 8 April 2025

Summary

The vulnerability in the SAP NetWeaver Application Server ABAP arises from insufficient encoding of user-controlled inputs, leading to the risk of Stored Cross-Site Scripting (XSS). This flaw allows attackers to inject malicious JavaScript into web pages, potentially targeting users who visit the compromised sites. Upon accessing the affected page, the script executes within the context of the victim’s browser, which can jeopardize sensitive information and user interactions, although system availability remains unaffected.

Affected Version(s)

SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) KRNL64NUC 7.22

SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) 7.22EXT

SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) KRNL64UC 7.22

References

https://me.sap.com/notes/3559307

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Feb 12, 2025