CVE-2025-26653

Summary

SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page, the injected script gets executed, potentially compromising the confidentiality and integrity within the scope of the victim�s browser. Availability is not impacted.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KRNL64NUC 7.22affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)7.22EXTaffected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KRNL64UC 7.22affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)7.53affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KERNEL 7.22affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)7.54affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)7.77affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)7.89affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)7.93affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)9.14affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References