CVE-2026-44768 in CRM WebClient UIinfo

Summary

by MITRE • 07/14/2026

SAP CRM WebClient UI allows an attacker to inject and execute malicious scripts in the context of the application due to the absence of a Content Security Policy (CSP) configuration for certain restrictive directives. This vulnerability has a low impact on the integrity of the application. Confidentiality and availability are not impacted.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability resides within SAP CRM WebClient UI where the absence of proper Content Security Policy configuration creates an environment susceptible to cross-site scripting attacks. The lack of restrictive CSP directives such as script-src, object-src, and frame-src allows attackers to inject malicious scripts that execute within the application context. According to CWE-1021, this represents a failure to properly implement security controls that would prevent unauthorized script execution. The vulnerability manifests when the application fails to enforce strict content policies that would otherwise block potentially harmful script injections from untrusted sources.

The technical flaw stems from inadequate web application security configuration where SAP CRM WebClient UI does not establish proper CSP headers to restrict script execution. Without these directives, attackers can leverage various injection vectors including reflected or stored XSS attacks to inject malicious JavaScript code that executes in the context of authenticated users. The vulnerability's low impact on integrity means that while script injection is possible, it does not directly compromise data integrity or application logic. However, this weakness serves as a potential entry point for more sophisticated attacks that could escalate privileges or extract sensitive information through session hijacking techniques.

The operational impact of this vulnerability extends beyond immediate script execution capabilities, creating opportunities for attackers to perform session manipulation and credential theft. While confidentiality and availability remain unaffected, the presence of XSS vulnerabilities can enable attackers to establish persistent access through session cookies or token harvesting. This aligns with ATT&CK technique T1059.007 for command and scripting interpreter, where attackers leverage browser-based scripting capabilities to execute malicious code. The vulnerability's classification under CWE-352 indicates insufficient input validation and output encoding practices that fail to properly sanitize user-supplied data before rendering in the application context.

Mitigation strategies should focus on implementing comprehensive CSP policies that include strict script-src directives limiting execution to trusted origins. Organizations must configure appropriate CSP headers with directives such as 'script-src self' or 'script-src https:' to prevent unauthorized script loading. Additionally, implementing proper input validation and output encoding mechanisms will help protect against XSS injection attempts. SAP customers should also consider implementing additional security controls including Content Security Policy enforcement through reverse proxies, regular security assessments, and monitoring for suspicious user behavior patterns that may indicate exploitation attempts. The implementation of these controls aligns with NIST SP 800-53 security requirements for web application security and helps establish a defense-in-depth approach to protecting SAP CRM environments from script injection attacks.

Responsible

Sap

Reservation

05/07/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

medium

Sources

Interested in the pricing of exploits?

See the underground prices here!