CVE-2026-27683— Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform
Possible ATT&CK Techniques 2AI
T1005 · Data from Local System T1059 · Command and Scripting InterpreterGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-27683
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform
Source: NVD (National Vulnerability Database)
Vulnerability Description
SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP BusinessObjects Business Intelligence 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP BusinessObjects Business Intelligence是德国思爱普(SAP)公司的一款BI工具。 SAP BusinessObjects Business Intelligence存在跨站脚本漏洞,该漏洞源于允许经过身份验证的攻击者通过特制URL注入恶意JavaScript有效载荷,可能导致用户访问URL时在浏览器中执行脚本并泄露受限信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| SAP_SE | SAP BusinessObjects Business Intelligence Platform | ENTERPRISE 430 | - |
II. Public POCs for CVE-2026-27683
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-27683
请登录查看更多情报信息。
Same Patch Batch · SAP_SE · 2026-04-14 · 17 CVEs total
| CVE-2026-27681 | 9.9 CRITICAL | SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Wa |
| CVE-2026-34256 | 7.1 HIGH | Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise) |
| CVE-2026-34264 | 6.5 MEDIUM | Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA |
| CVE-2026-34261 | 6.5 MEDIUM | Missing Authorization check in SAP Business Analytics and SAP Content Management |
| CVE-2026-27679 | 6.5 MEDIUM | Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Struct |
| CVE-2026-27678 | 6.5 MEDIUM | Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structu |
| CVE-2026-27677 | 6.5 MEDIUM | Missing Authorization check in SAP S/4HANA OData Service (Manage Reference Equipment) |
| CVE-2026-34257 | 6.1 MEDIUM | Open Redirect vulnerability in SAP NetWeaver Application Server ABAP |
| CVE-2026-27674 | 6.1 MEDIUM | Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java) |
| CVE-2026-0512 | 6.1 MEDIUM | Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Han |
| CVE-2026-34262 | 5.0 MEDIUM | Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer |
| CVE-2026-27673 | 4.9 MEDIUM | Missing Authorization Check in SAP S/4HANA (Private Cloud and On-Premise) |
| CVE-2026-27676 | 4.3 MEDIUM | Missing Authorization check in SAP S/4HANA OData Service (Manage Technical Object Structur |
| CVE-2026-27672 | 4.3 MEDIUM | Missing Authorization check in Material Master Application |
| CVE-2026-24318 | 4.2 MEDIUM | Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Pla |
| CVE-2026-27675 | 2.0 LOW | Code Injection vulnerability in SAP Landscape Transformation |
IV. Related Vulnerabilities
Same product: SAP BusinessObjects Business Intelligence Platform
- CVE-2026-0502
Cross Site Request Forgery (CSRF) in SAP BusinessObjects Bus - CVE-2026-24318
Insecure Session Management vulnerability in SAP BusinessObj - CVE-2026-0508
Open Redirect vulnerability in SAP BusinessObjects Business - CVE-2025-42896
Server-Side Request Forgery (SSRF) in SAP BusinessObjects Bu - CVE-2025-31332
Insecure File permissions vulnerability in SAP BusinessObjec
Same vendor: SAP_SE
- CVE-2026-44749
Information Disclosure vulnerability in SAP Gateway - CVE-2026-27680
CSS Injection vulnerability in SAP NetWeaver Application Ser - CVE-2026-40137
Cross-Site Scripting (XSS) vulnerability in Business Server - CVE-2026-40136
Denial of service (DoS) in SAP Financial Consolidation - CVE-2026-40135
OS Command Injection vulnerability in SAP NetWeaver Applicat
Same weakness: CWE-79
- CVE-2026-46426
Budibase: Unrestricted Upload of File with Dangerous Type - CVE-2026-48149
Budibase: Stored XSS in Text component: BASIC users execute - CVE-2026-49044
WordPress Advanced Custom Fields: Font Awesome Field plugin - CVE-2026-49102
Webmin <2.640 XSS漏洞 - CVE-2026-47119
Agent Zero < 1.15 Stored XSS via image_get API Endpoint
V. Comments for CVE-2026-27683
No comments yet