PatchSiren cyber security CVE debrief
CVE-2026-44746 SAP_SE CVE debrief
A reflected cross-site scripting (XSS) vulnerability exists in SAP NetWeaver JAVA (JDBC Test Servlet). An unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser. This could allow the attacker to access and/or modify information related to the webclient, impacting the confidentiality and integrity of the application, with no impact to availability.
- Vendor
- SAP_SE
- Product
- SAP NetWeaver AS Java (JDBC Test Servlet)
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of SAP NetWeaver JAVA (JDBC Test Servlet) should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.1 and a severity of MEDIUM. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The weakness is classified as CWE-79.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the security patch as described in SAP note [ref-4](https://me.sap.com/notes/3723655) and [ref-5](https://url.sap/sapsecuritypatchday).
Evidence notes
The CVE record [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-44746) and NVD detail [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-44746) provide additional information about this vulnerability.
Official resources
CVE-2026-44746 was published on 2026-06-09T01:16:46.467Z and modified on 2026-06-09T02:08:28.150Z.