SAP BusinessObjects Enterprise Stored XSS via inadequate input encoding
CVE-2026-24325 Published on February 10, 2026
Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console)
SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.This vulnerability has low impact on confidentiality and integrity of the data. There is no impact on the availability of the application.
Vulnerability Analysis
CVE-2026-24325 can be exploited with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2026-24325 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2026-24325
Want to know whenever a new CVE is published for SAP Businessobjects? stack.watch will email you.
Affected Versions
SAP_SE SAP BusinessObjects Enterprise (Central Management Console):- Version ENTERPRISE 430 is affected.
- Version 2025 is affected.
- Version 2027 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.