{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24328", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-01-21T22:15:36.673Z", "datePublished": "2026-02-10T03:04:54.749Z", "dateUpdated": "2026-02-10T15:41:55.313Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Business Server Pages Application (TAF_APPLAUNCHER)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "ST-PI 2008_1_700"}, {"status": "affected", "version": "2008_1_710"}, {"status": "affected", "version": "740"}, {"status": "affected", "version": "758"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim\ufffds browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.</p>"}], "value": "SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim\ufffds browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:04:54.749Z"}, "references": [{"url": "https://me.sap.com/notes/3688319"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:41:38.041599Z", "id": "CVE-2026-24328", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:41:55.313Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24328", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:41:38.041599Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:41:50.331Z"}}], "cna": {"title": "Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "Business Server Pages Application (TAF_APPLAUNCHER)", "versions": [{"status": "affected", "version": "ST-PI 2008_1_700"}, {"status": "affected", "version": "2008_1_710"}, {"status": "affected", "version": "740"}, {"status": "affected", "version": "758"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3688319"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim\ufffds browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.", "supportingMedia": [{"type": "text/html", "value": "<p>SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim\ufffds browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:04:54.749Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24328", "state": "PUBLISHED", "dateUpdated": "2026-02-10T15:41:55.313Z", "dateReserved": "2026-01-21T22:15:36.673Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-02-10T03:04:54.749Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_server_pages:740:*:*:*:*:*:*:*", "matchCriteriaId": "CC862E54-CEB7-4A61-BFEC-9ED2372109FC", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_server_pages:758:*:*:*:*:*:*:*", "matchCriteriaId": "41EE398C-9049-44E7-AFCF-26441F66D886", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_server_pages:2008_1_700:*:*:*:*:*:*:*", "matchCriteriaId": "B2F28858-4CDD-42CB-93E4-26B56B67B6CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:business_server_pages:2008_1_710:*:*:*:*:*:*:*", "matchCriteriaId": "FD8EF5BB-C105-403F-A2C2-F916FE0732E7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim\ufffds browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application."}, {"lang": "es", "value": "SAP TAF_APPLAUNCHER dentro de Business Server Pages permite a un atacante no autenticado crear enlaces maliciosos que, al ser pulsados por una v\u00edctima, los redirigen a sitios controlados por el atacante, exponiendo o alterando potencialmente informaci\u00f3n sensible en el navegador de la v\u00edctima. Esto resulta en un impacto bajo en la confidencialidad y la integridad, sin impacto en la disponibilidad de la aplicaci\u00f3n."}], "id": "CVE-2026-24328", "lastModified": "2026-02-17T15:10:34.963", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-02-10T04:16:05.273", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3688319"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "ST-PI 2008_1_700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2008_1_710"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "740"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "758"}}], "product": "business_server_pages_application_(taf_applauncher)", "vendor": "sap_se"}], "analysis": {"en": {"generated_at": "2026-04-17T20:54:30.354351+00:00", "value": {"mitigation_remediation": ["Download and install the SAP security patch referenced in SAP Note\u202f3688319 and the SAP Security Patch Day documentation", "Configure web application firewalls or URL filtering to block or validate redirects originating from TAF_APPLAUNCHER", "Ensure that all publicly exposed links are checked for proper input validation to mitigate CWE\u2011601 type weaknesses"], "summary": {"action": "Apply Patch", "impact": "Open Redirection"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in versions of SAP Business Server Pages identified by the following CPEs: SAP Business Server Pages 2008_1_700, 2008_1_710, 740, and 758. These versions correspond to the Business Server Pages Application (TAF_APPLAUNCHER) from SAP SE.", "description_and_impact": "A specific component of SAP Business Server Pages, TAF_APPLAUNCHER, can accept specially crafted URLs from unauthenticated users. When a victim clicks such a link, the application redirects the browser to an attacker\u2011controlled site. This behavior can lead to the disclosure or alteration of sensitive data within the victim\u2019s browser session, though it does not affect the availability of the application itself. The flaw is a classic input\u2011validation weakness represented by CWE\u2011601.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a medium severity level. The EPSS score is below 1\u202f%, suggesting a low probability of exploitation at this moment. The vulnerability is not listed in CISA\u2019s known exploited vulnerabilities catalog. The attack vector is relatively straightforward: an attacker does not need authentication or privileged access; they only need to trick a user into clicking a malicious link, which can be delivered via email or embedded in web content. If exploited, the impact is limited to confidentiality and integrity within the victim\u2019s browser context and does not impair application availability."}}}}, "created": "2026-02-10T11:34:35.250814+00:00", "updated": "2026-04-17T21:00:12.715569+00:00", "vendors": ["sap_se", "sap_se$PRODUCT$business_server_pages_application_(taf_applauncher)"]}