Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)
CVE-2026-27682

4.7MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Abap (applications Based On Business Server Pages)
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-27682?

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

Affected Version(s)

SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 700

SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 701

SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 702

References

https://me.sap.com/notes/3728690

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27682 Data

JSON