CVE-2026-24323 — Open Redirect in SE SAP Document Management System

CWE-601 — Open Redirect3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 93.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Document Management System SAP Document Management System SAP ERP +1 more

Timeline

PublishedFeb 10

Description

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDsap/erp618

▶NVDsap/s4core7 versions+6

▶NVDsap/document_management_system7 versions+6

▶CVEListV5sap_se/sap_document_management_system16 versions+15

🔴Vulnerability Details

CVEList

Multiple vulnerabilities in BSP Applications of SAP Document Management System↗2026-02-10

▶

GHSA

GHSA-wrmm-r226-5wrq: The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently san↗2026-02-10

▶