PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44760 SAP_SE CVE debrief

A Cross-Site Scripting (XSS) vulnerability exists in SAP NetWeaver Application Server ABAP, specifically in applications based on the Business Server Pages framework. This vulnerability allows an attacker to inject and execute arbitrary JavaScript code under certain conditions by reflecting unsanitized input into the HTTP response. The impact on confidentiality and integrity is considered low, but exploitation could allow attackers to steal session information or perform actions on behalf of the victim user. Administrators and users of SAP NetWeaver Application Server ABAP, particularly those utilizing the Business Server Pages framework, should be aware of this vulnerability and take necessary precautions. The CVE record was published on 2026-07-14T01:16:17.910Z and has not been modified since then.

Vendor
SAP_SE
Product
SAP NetWeaver Application Server ABAP (applications based on Business Server Pages)
CVSS
MEDIUM 4.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-14
Advisory published
2026-07-14
Advisory updated
2026-07-14

Who should care

Administrators and users of SAP NetWeaver Application Server ABAP, particularly those utilizing the Business Server Pages framework, should be aware of this vulnerability. The impact on confidentiality and integrity is low, but exploitation could allow attackers to steal session information or perform actions on behalf of the victim user.

Technical summary

The CVE-2026-44760 vulnerability is a Cross-Site Scripting (XSS) issue within the Business Server Pages framework of SAP NetWeaver Application Server ABAP. It has a CVSS score of 4.7, classified as MEDIUM severity. The vulnerability allows attackers to inject JavaScript code, potentially leading to session theft or unauthorized actions on behalf of the user. The attack vector is network-based, requiring user interaction.

Defensive priority

Medium priority should be given to patching this vulnerability, as it could allow for unauthorized actions and session theft, although the impact on data confidentiality and integrity is considered low.

Recommended defensive actions

  • Apply the security patches provided by SAP as soon as possible.
  • Review and update input validation and sanitization practices for the Business Server Pages framework.
  • Implement additional monitoring to detect potential exploitation attempts.
  • Educate users about the risks and the importance of reporting suspicious activities.
  • Perform a thorough review of the current system configuration to identify potential vulnerabilities.
  • Conduct regular security audits to ensure the integrity of the system.
  • Establish a process for tracking and addressing vulnerabilities in a timely manner.

Evidence notes

The CVE record was published on 2026-07-14T01:16:17.910Z and has not been modified since then. The NVD entry is currently in the 'Received' status. SAP has provided references to security notes and patches for mitigation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T01:16:17.910Z and has not been modified since then. The NVD entry is currently Received.