PatchSiren cyber security CVE debrief
CVE-2026-44760 SAP_SE CVE debrief
A Cross-Site Scripting (XSS) vulnerability exists in SAP NetWeaver Application Server ABAP, specifically in applications based on the Business Server Pages framework. This vulnerability allows an attacker to inject and execute arbitrary JavaScript code under certain conditions by reflecting unsanitized input into the HTTP response. The impact on confidentiality and integrity is considered low, but exploitation could allow attackers to steal session information or perform actions on behalf of the victim user. Administrators and users of SAP NetWeaver Application Server ABAP, particularly those utilizing the Business Server Pages framework, should be aware of this vulnerability and take necessary precautions. The CVE record was published on 2026-07-14T01:16:17.910Z and has not been modified since then.
- Vendor
- SAP_SE
- Product
- SAP NetWeaver Application Server ABAP (applications based on Business Server Pages)
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Administrators and users of SAP NetWeaver Application Server ABAP, particularly those utilizing the Business Server Pages framework, should be aware of this vulnerability. The impact on confidentiality and integrity is low, but exploitation could allow attackers to steal session information or perform actions on behalf of the victim user.
Technical summary
The CVE-2026-44760 vulnerability is a Cross-Site Scripting (XSS) issue within the Business Server Pages framework of SAP NetWeaver Application Server ABAP. It has a CVSS score of 4.7, classified as MEDIUM severity. The vulnerability allows attackers to inject JavaScript code, potentially leading to session theft or unauthorized actions on behalf of the user. The attack vector is network-based, requiring user interaction.
Defensive priority
Medium priority should be given to patching this vulnerability, as it could allow for unauthorized actions and session theft, although the impact on data confidentiality and integrity is considered low.
Recommended defensive actions
- Apply the security patches provided by SAP as soon as possible.
- Review and update input validation and sanitization practices for the Business Server Pages framework.
- Implement additional monitoring to detect potential exploitation attempts.
- Educate users about the risks and the importance of reporting suspicious activities.
- Perform a thorough review of the current system configuration to identify potential vulnerabilities.
- Conduct regular security audits to ensure the integrity of the system.
- Establish a process for tracking and addressing vulnerabilities in a timely manner.
Evidence notes
The CVE record was published on 2026-07-14T01:16:17.910Z and has not been modified since then. The NVD entry is currently in the 'Received' status. SAP has provided references to security notes and patches for mitigation.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T01:16:17.910Z and has not been modified since then. The NVD entry is currently Received.