medium2026-05-12SAP NetWeaverCVE-2026-40137

Reflected XSS in Business Server Pages TAF_APPLAUNCHER

Business Server Pages (TAF_APPLAUNCHER) — Component-Based Test Automation

Our Take

Narrow version coverage (ST-PI 740, 758) and limited to a test automation BSP. Lower urgency unless you actively use Component-Based Test Automation.

Vulnerability Detail

Reflected cross-site scripting vulnerability in the TAF_APPLAUNCHER Business Server Page used by Component-Based Test Automation. An attacker can craft a URL that, when accessed by a victim, executes scripts in the victim's browser context.

Patch Action

Apply SAP Note 3727717.

Affected Versions

ST-PI 740

758

Patch Info

CVSS Score

6.1

SAP Note

3727717 ↗

CVE

CVE-2026-40137

Published

2026-05-12

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches