CVE-2025-26653 Overview
CVE-2025-26653 is a stored Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP. The flaw exists because the application does not sufficiently encode user-controlled inputs before rendering them in web responses. An unauthenticated attacker can inject malicious JavaScript that executes in the browser of any user who visits the affected page. Successful exploitation impacts the confidentiality and integrity of data within the victim's browser session, though availability is not affected. The weakness is classified under [CWE-79] Improper Neutralization of Input During Web Page Generation.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript into SAP NetWeaver ABAP pages, enabling session hijacking, credential theft, and unauthorized actions in the context of authenticated SAP users.
Affected Products
- SAP NetWeaver Application Server ABAP
Discovery Timeline
- 2025-04-08 - CVE-2025-26653 published to NVD
- 2025-04-08 - SAP releases security patch through SAP Note #3559307 on SAP Security Patch Day
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-26653
Vulnerability Analysis
The vulnerability resides in input handling routines within SAP NetWeaver Application Server ABAP. User-supplied data is stored server-side and later reflected into HTML responses without adequate output encoding. Because the payload persists on the server, every subsequent visitor to the affected page triggers the injected script. The stored nature of the flaw amplifies its reach compared to reflected XSS variants.
Exploitation requires user interaction, since a victim must load the page hosting the malicious payload. The attack scope is changed, meaning the injected script can affect resources beyond the vulnerable component. However, high attack complexity indicates that specific conditions such as targeted input fields or authentication contexts must be met to plant the payload successfully.
Root Cause
The root cause is missing or insufficient output encoding of user-controlled inputs rendered in HTML contexts. When the ABAP application writes stored data to a response, it does not apply HTML entity encoding for characters such as <, >, ", and '. This allows script tags and event handlers submitted by an attacker to be interpreted as executable JavaScript by the browser rather than displayed as inert text.
Attack Vector
An unauthenticated remote attacker submits crafted input containing JavaScript to a vulnerable ABAP endpoint. The server persists the payload without sanitization. When any user, including privileged administrators, later loads the page containing the stored payload, the script executes under their session context. The attacker can then exfiltrate session cookies, invoke SAP transactions on behalf of the victim, or pivot to further actions within the SAP environment.
Code-level exploitation details are not publicly documented. Refer to SAP Note #3559307 for vendor-provided technical guidance.
Detection Methods for CVE-2025-26653
Indicators of Compromise
- HTTP request bodies or query parameters containing <script> tags, javascript: URIs, or event handlers such as onerror= and onload= sent to SAP NetWeaver ABAP endpoints.
- Unexpected outbound requests from user browsers to attacker-controlled domains following visits to SAP web interfaces.
- Anomalous session token usage or SAP transactions originating from user accounts shortly after page loads.
Detection Strategies
- Inspect SAP NetWeaver web dispatcher and Internet Communication Manager (ICM) logs for stored payloads containing HTML or JavaScript syntax in user-controlled fields.
- Deploy web application firewall rules that flag script-like content submitted to ABAP endpoints handling form input.
- Review Content Security Policy (CSP) violation reports from SAP-facing browsers for blocked inline script executions.
Monitoring Recommendations
- Correlate authentication events with immediate high-privilege SAP transactions to detect session hijacking attempts.
- Monitor for unusual GUI-for-HTML or Fiori page rendering errors that may indicate injected content.
- Track modifications to persistent SAP data stores that hold user-supplied text fields, particularly those rendered in shared views.
How to Mitigate CVE-2025-26653
Immediate Actions Required
- Apply the patch referenced in SAP Note #3559307 to all SAP NetWeaver Application Server ABAP instances.
- Audit stored data in ABAP applications for existing malicious payloads and sanitize affected records.
- Restrict access to affected ABAP web interfaces to trusted networks until patching completes.
Patch Information
SAP released the fix on the April 2025 SAP Security Patch Day. Administrators must implement SAP Note #3559307 to remediate the vulnerability. Additional context is available on the SAP Security Patch Day Update portal. No official workaround replaces patch deployment.
Workarounds
- Enforce a strict Content Security Policy that disallows inline scripts and untrusted script sources on SAP-served pages.
- Place SAP NetWeaver web endpoints behind a web application firewall configured to strip or block HTML and script syntax in input fields.
- Limit unauthenticated access to ABAP endpoints that accept user-generated content pending patch application.
# Example WAF rule concept (ModSecurity-style) to block script payloads to SAP endpoints
SecRule REQUEST_URI "@beginsWith /sap/" \
"chain,phase:2,deny,status:403,msg:'Potential XSS payload to SAP NetWeaver'"
SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

