CVE-2026-44752

SAP SE · SAP NetWeaver Application Server Java

SAP NetWeaver Application Server Java contains a cross-site scripting (XSS) vulnerability allowing unauthenticated attackers to inject malicious JavaScript through crafted URLs.

Executive summary

A high-severity cross-site scripting vulnerability in the SAP NetWeaver Application Server Java Configuration Wizard allows unauthenticated attackers to execute arbitrary scripts in a user's browser.

Vulnerability

This is a Cross-Site Scripting (XSS) vulnerability (CWE-79) where input is not properly neutralized during web page generation. The CVSS vector (PR:N) confirms that the vulnerability is exploitable by unauthenticated attackers.

Business impact

An attacker can exploit this vulnerability to perform actions on behalf of a victim, steal session cookies, or redirect users to malicious sites, leading to unauthorized access and potential data theft. With a CVSS score of 8.2, the risk is elevated, particularly given the potential for broad impact on users interacting with the Configuration Wizard.

Remediation

Immediate Action: Apply the vendor-provided security patches via the SAP Security Patch Day channels (Note 3748227).

Proactive Monitoring: Monitor web traffic for suspicious URL patterns containing script injection attempts directed at the Configuration Wizard.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block malicious scripts within incoming URL requests.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the unauthenticated nature of the exploit, this vulnerability poses a significant risk to the SAP environment. Administrators should review the official SAP security note 3748227 immediately and apply the necessary patches or configurations to remediate the XSS vulnerability.