CVE-2026-0499 MEDIUM

CVE-2026-0499: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Vendor Sap_Se
Product SAP NetWeaver Enterprise Portal
Weakness CWE-79 · XSS
Published January 13, 2026
Last update January 13, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability.

Key dates

02Disclosure timeline

January 13, 2026 CVE published
January 13, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-0683 Essential Addons for Elementor Lite <= 5.0.8 Reflected Cross-Site Scripting CVE-2022-39333 Cross-site scripting (XSS) in Nextcloud Desktop Client CVE-2025-32651 WordPress SERPed.net Plugin <= 4.6 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2022-3072 Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis CVE-2024-2202 Page Builder by SiteOrigin <= 2.29.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Legacy Image Widget