DOM-based XSS Vulnerability in SAP NetWeaver Application Server ABAP
CVE-2025-26659

6.1MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Abap (applications Based On SAP Gui For Html)
Vendor: CVE Published:; 11 March 2025

What is CVE-2025-26659?

The SAP NetWeaver Application Server ABAP contains a security issue where insufficient encoding of user-controlled inputs can be exploited, allowing for DOM-based Cross-Site Scripting (XSS) attacks. This vulnerability permits an unauthorized attacker to craft a harmful web message that takes advantage of the WEBGUI functionality. If exploited, the malicious JavaScript code executes within the victim's browser, which may lead to data compromise or manipulation of web content. Though the impact on confidentiality and integrity is limited, users remain at risk if this vulnerability persists.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) KRNL64UC 7.53

SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) KERNEL 7.53

SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) KERNEL 7.54

References

https://me.sap.com/notes/3552824

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Feb 12, 2025

JSON

SAP