CVE-2026-44760 in NetWeaver Application Server ABAP
Summary
by MITRE • 07/14/2026
Due to a Cross-Site Scripting (XSS) vulnerability, applications based on Business Server Pages framework in SAP NetWeaver Application Server ABAP reflects unsanitized input into the HTTP response which allows an attacker to inject and execute arbitrary JavaScript code under certain conditions. Successful exploitation could allow the attacker to steal session information, perform authenticated actions on behalf of the victim user etc. This vulnerability has low impact on confidentiality and integrity of the data and no impact on application 's availability.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability represents a critical cross-site scripting flaw within SAP NetWeaver Application Server ABAP framework that leverages the Business Server Pages implementation to execute malicious code through reflected input vectors. The vulnerability stems from insufficient input sanitization mechanisms that fail to properly escape or validate user-supplied data before incorporating it into HTTP responses, creating an avenue for attackers to inject JavaScript payloads that execute in the victim's browser context.
The technical exploitation of this vulnerability follows established patterns documented under CWE-79 - Cross-Site Scripting and aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, where attackers craft malicious inputs designed to exploit the reflected XSS condition. When a victim interacts with a specially crafted URL or form submission containing malicious JavaScript code, the application returns this unsanitized input directly to the user's browser, executing the script within the context of the authenticated session.
The operational impact extends beyond simple script execution, as successful exploitation enables attackers to perform session hijacking operations that compromise user authentication tokens and cookies. This allows unauthorized access to sensitive business applications and data without requiring legitimate credentials, potentially leading to complete account takeovers and privilege escalation within the SAP environment. The reflected nature of the vulnerability means that attackers can deliver payloads through various delivery mechanisms including email attachments, malicious links, or compromised web pages that redirect users to vulnerable application endpoints.
Security implications include unauthorized data access and modification capabilities, as attackers can leverage stolen session information to perform authenticated operations on behalf of legitimate users. This creates potential for financial fraud, data manipulation, and business process disruption within SAP systems. The vulnerability's classification as low impact on confidentiality and integrity reflects the fact that direct database compromise requires additional attack vectors beyond the XSS condition itself, though the session hijacking aspect provides significant lateral movement capabilities.
Organizations should implement comprehensive input validation and output encoding mechanisms to prevent XSS vulnerabilities in SAP environments, following OWASP secure coding guidelines and SAP security recommendations. Proper implementation of Content Security Policy headers, regular security assessments, and user education about phishing threats can significantly reduce exploitation risks. Additionally, applying SAP security patches and maintaining up-to-date application security controls remains essential for mitigating this and similar vulnerabilities that could compromise enterprise SAP infrastructure.