Skip to content
Auto-CTI
Back to today
NEW MEDIUM A2

CVE-2026-44760: Cross-Site Scripting in SAP NetWeaver Application Server ABAP

A NVD · · CVE-2026-44760

Admiralty grading (A–F · 1–6)

Source reliability

  • A Completely reliable
  • B Usually reliable
  • C Fairly reliable
  • D Not usually reliable
  • E Unreliable
  • F Cannot be judged

Information credibility

  • 1 Confirmed
  • 2 Probably true
  • 3 Possibly true
  • 4 Doubtful
  • 5 Improbable
  • 6 Cannot be judged

NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.

Key metrics

CVSS
4.7
EPSS
0%

Key insight

Reflected XSS in SAP NetWeaver enables JavaScript execution in the victim's browser under certain conditions, leading to session theft and authenticated actions in the user's context.

Description

A reflected Cross-Site Scripting vulnerability in the Business Server Pages Framework of SAP NetWeaver Application Server ABAP allows injection and execution of JavaScript code under certain conditions. Attackers can exploit unsanitized user input reflected in the HTTP response to execute malicious scripts in a victim's browser. This enables session hijacking, theft of authentication information, and execution of authorized actions with the compromised user's privileges. The vulnerability has low impact on confidentiality and integrity, with no impact on availability.

Risk score

57
cvss base
47.00
kev bonus
0.00
epss bonus
0.00
poc bonus
0.00
raw before weight
47.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00

Path: operational

ESC