medium2026-06-09SAP NetWeaverCVE-2026-44746

Reflected XSS in SAP NetWeaver AS Java JDBC Test Servlet

SAP NetWeaver Application Server Java (BW Business Explorer JDBC Test Servlet)

Our Take

JDBC Test Servlets should never be exposed to untrusted networks. If you run NetWeaver AS Java, verify this endpoint is not reachable from the internet or intranet broadly, then patch in the next window.

Vulnerability Detail

Reflected cross-site scripting vulnerability in the JDBC Test Servlet of the BW Business Explorer component in SAP NetWeaver AS Java. An attacker can craft a malicious URL that, when visited by an authenticated user, executes scripts in the victim's browser context — enabling session hijacking, phishing, or credential theft.

Patch Action

Apply SAP Note 3723655.

Affected Versions

ENGINEAPI 7.50

Patch Info

CVSS Score

6.1

SAP Note

3723655 ↗

CVE

CVE-2026-44746

Published

2026-06-09

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches