SAPUI5 Search UI XSS via URL Parameter Manipulation: CVE-2026-34258 May 2026

Content Spoofing vulnerability in SAPUI5 (Search UI)
SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.

Vulnerability Analysis

CVE-2026-34258 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

LOW

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Type

User Interface (UI) Misrepresentation of Critical Information

The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.

SAPUI5 Search UI XSS via URL Parameter Manipulation
CVE-2026-34258 Published on May 12, 2026

Vulnerability Analysis

Weakness Type

User Interface (UI) Misrepresentation of Critical Information

Affected Versions

SAPUI5 Search UI XSS via URL Parameter ManipulationCVE-2026-34258 Published on May 12, 2026

Vulnerability Analysis

Weakness Type

User Interface (UI) Misrepresentation of Critical Information

Affected Versions

SAPUI5 Search UI XSS via URL Parameter Manipulation
CVE-2026-34258 Published on May 12, 2026