CVE-2026-44752
SAP SE · SAP NetWeaver Application Server Java
SAP NetWeaver Application Server Java contains a cross-site scripting (XSS) vulnerability allowing unauthenticated attackers to inject malicious JavaScript through crafted URLs.
Executive summary
A high-severity cross-site scripting vulnerability in the SAP NetWeaver Application Server Java Configuration Wizard allows unauthenticated attackers to execute arbitrary scripts in a user's browser.
Vulnerability
This is a Cross-Site Scripting (XSS) vulnerability (CWE-79) where input is not properly neutralized during web page generation. The CVSS vector (PR:N) confirms that the vulnerability is exploitable by unauthenticated attackers.
Business impact
An attacker can exploit this vulnerability to perform actions on behalf of a victim, steal session cookies, or redirect users to malicious sites, leading to unauthorized access and potential data theft. With a CVSS score of 8.2, the risk is elevated, particularly given the potential for broad impact on users interacting with the Configuration Wizard.
Remediation
Immediate Action: Apply the vendor-provided security patches via the SAP Security Patch Day channels (Note 3748227).
Proactive Monitoring: Monitor web traffic for suspicious URL patterns containing script injection attempts directed at the Configuration Wizard.
Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block malicious scripts within incoming URL requests.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the unauthenticated nature of the exploit, this vulnerability poses a significant risk to the SAP environment. Administrators should review the official SAP security note 3748227 immediately and apply the necessary patches or configurations to remediate the XSS vulnerability.