high2026-07-14SAP NetWeaverCVE-2026-44752

Cross-Site Scripting in SAP NetWeaver AS Java Configuration Wizard

SAP NetWeaver Application Server Java (Configuration Wizard)

Our Take

XSS in an administrative tool is rated High because the target audience (admins) has elevated system access. An attacker who can lure an admin to a crafted URL gets admin-level code execution in the browser. Restrict the Configuration Wizard to internal networks — it should never be internet-accessible — and patch in the next scheduled window.

Vulnerability Detail

Unauthenticated cross-site scripting vulnerability in the Configuration Wizard component of SAP NetWeaver Application Server Java. An attacker can craft a malicious URL targeting the Configuration Wizard that, when visited by an authenticated administrator, executes scripts in the victim's browser context — potentially enabling session hijacking or administrative action injection.

Workaround

Restrict access to the NetWeaver Java Configuration Wizard to administrative networks only. The Configuration Wizard should never be accessible from the internet.

Patch Action

Apply SAP Note 3748227. Verify affected versions in the official SAP Note.

Patch Info

CVSS Score

8.2

SAP Note

3748227

CVE

CVE-2026-44752

Published

2026-07-14

← All patches