medium2026-04-14SAP SRMCVE-2026-0512

Cross-Site Scripting (XSS) in SAP Supplier Relationship Management

SAP Supplier Relationship Management (SICF Handler in SRM Catalog)

Our Take

Unauthenticated XSS on a procurement catalog is a real phishing risk in organizations where SRM is user-facing. If your SRM catalog is internet-accessible, move this up.

Vulnerability Detail

An unauthenticated attacker can craft a malicious URL that, when accessed by a victim, executes malicious scripts in the victim's browser via the SRM Catalog ICF service. Confidentiality and integrity are affected.

Patch Action

Apply SAP Note 3645228.

Affected Versions

SRM_SERVER 702

713

714

Patch Info

CVSS Score

6.1

SAP Note

3645228 ↗

CVE

CVE-2026-0512

Published

2026-04-14

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches