Cross-Origin Bypass in SAP Software Components
CVE-2026-44767

6.1MEDIUM

Key Information:

Vendor

SAP

Vendor
CVE Published:
14 July 2026

What is CVE-2026-44767?

A vulnerability exists in SAP Software Components where the setThemeRoot() function fails to enforce the sap-allowed-theme-origins allowlist. This issue allows an attacker to store and utilize a malicious absolute cross-origin URL to construct a element, regardless of the absence of the tag. Attackers can exploit this weakness through manipulated input, such as URL query parameters or user settings, leading to the injection of arbitrary CSS into the victim's page. Successful exploitation can result in UI redressing, clickjacking, phishing overlays, visual defacement, and potential data exfiltration via CSS attribute selectors targeting predictable DOM content.

Affected Version(s)

@ui5/webcomponents-base @ui5/webcomponents-base < 2.21.0

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.