CVE-2026-27682

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3728690	Permissions Required
https://url.sap/sapsecuritypatchday	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:netweaver_application_server_abap:700::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:701::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:702::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:731::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:740::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:750::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:751::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:752::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:753::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:754::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:755::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:756::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:757::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:758::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:816::::sap_basis:::
	cpe:2.3:a:sap:netweaver_application_server_abap:918::::sap_basis:::

History

03 Jun 2026, 19:08

Type	Values Removed	Values Added
CPE		cpe:2.3:a:sap:netweaver_application_server_abap:750::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:753::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:754::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:758::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:756::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:731::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:700::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:816::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:918::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:752::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:701::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:751::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:755::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:702::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:757::::sap_basis::: cpe:2.3:a:sap:netweaver_application_server_abap:740::::sap_basis:::
First Time		Sap netweaver Application Server Abap Sap
References	~~() https://me.sap.com/notes/3728690 -~~	() https://me.sap.com/notes/3728690 - Permissions Required
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday - Vendor Advisory

12 May 2026, 03:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 03:16

Updated : 2026-06-03 19:08

NVD link : CVE-2026-27682

Mitre link : CVE-2026-27682

CVE.ORG link : CVE-2026-27682

JSON object : View

Products Affected

sap

netweaver_application_server_abap

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.7 /10