CVE-2025-26659

Summary

SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the malicious JavaScript payload executes in the scope of victim�s browser potentially compromising their data and/or manipulating browser content. This leads to a limited impact on confidentiality and integrity. There is no impact on availability

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KRNL64UC 7.53affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KERNEL 7.53affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KERNEL 7.54affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KERNEL 7.77affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KERNEL 7.89affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KERNEL 7.93affected
SAP_SESAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)KERNEL 9.14affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References