Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)
CVE-2026-40137

6.1MEDIUM

Key Information:

Vendor: SAP
Status: Business Server Pages Application (taf Applauncher)
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-40137?

SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.

Affected Version(s)

Business Server Pages Application (TAF_APPLAUNCHER) ST-PI 740

Business Server Pages Application (TAF_APPLAUNCHER) 758

References

https://me.sap.com/notes/3727717

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40137 Data

JSON