Reflected XSS in SAP NetWeaver ABAP via unprotected URL param
CVE-2026-27682 Published on May 12, 2026

Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)
Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victims browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

NVD

Vulnerability Analysis

CVE-2026-27682 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-27682 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2026-27682

Want to know whenever a new CVE is published for SAP Netweaver Application Server Abap? stack.watch will email you.

SAP Netweaver Application Server Abap
 

Affected Versions

SAP_SE SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages):