CVE-2026-0499Cross-site Scripting in SE SAP Netweaver Enterprise Portal

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.1%
top 66.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Netweaver Enterprise Portal
Timeline
PublishedJan 13

Description

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

CVEListV5sap_se/sap_netweaver_enterprise_portalEP-RUNTIME 7.50

🔴Vulnerability Details

2
GHSA
GHSA-jmwc-hm8x-6w23: SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter2026-01-13
CVEList
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal2026-01-13
CVE-2026-0499 — Cross-site Scripting | cvebase