Reflected Cross-Site Scripting Vulnerability in SAP NetWeaver Application Server ABAP
CVE-2026-27682

4.7MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Abap (applications Based On Business Server Pages)
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-27682?

A reflected cross-site scripting (XSS) vulnerability exists in SAP NetWeaver Application Server ABAP, allowing unauthenticated attackers to craft malicious URLs that exploit unprotected URL parameters. When users click these links, harmful scripts can be executed in their browser sessions, potentially leading to unauthorized access and manipulation of sensitive information, while maintaining the availability of the application.

Affected Version(s)

SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 700

SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 701

SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) SAP_BASIS 702

References

https://me.sap.com/notes/3728690

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27682 Data

JSON