CVE-2025-42956

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.2%

top 55.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Abap SAP SAP Basis

Timeline

PublishedJul 8

Description

SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_application_server_abap15 versions+14

▶NVDsap/sap_basis15 versions+14

Patches

Patch: url.sap ↗

🔴Vulnerability Details

GHSA

GHSA-fghj-5cg6-fhcg: SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly ava↗2025-07-08

▶

CVEList

Multiple vulnerabilities in SAP NetWeaver Application Server ABAP↗2025-07-08

▶