{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27683", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-02-23T17:50:17.028Z", "datePublished": "2026-04-14T00:08:15.599Z", "dateUpdated": "2026-04-14T13:14:17.886Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:08:15.599Z"}, "title": "Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP BusinessObjects Business Intelligence Platform", "versions": [{"status": "affected", "version": "ENTERPRISE 430"}, {"status": "affected", "version": "2025"}, {"status": "affected", "version": "2027"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user\ufffds browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user\ufffds browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3698216"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27683", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:54:08.264982Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:17.886Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27683", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:54:08.264982Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:06.302Z"}}], "cna": {"title": "Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP BusinessObjects Business Intelligence Platform", "versions": [{"status": "affected", "version": "ENTERPRISE 430"}, {"status": "affected", "version": "2025"}, {"status": "affected", "version": "2027"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3698216"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user\ufffds browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.", "supportingMedia": [{"type": "text/html", "value": "<p>SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user\ufffds browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:08:15.599Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27683", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:17.886Z", "dateReserved": "2026-02-23T17:50:17.028Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:08:15.599Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user\ufffds browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability."}], "id": "CVE-2026-27683", "lastModified": "2026-04-17T15:18:16.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T00:16:06.717", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3698216"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "ENTERPRISE 430"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2025"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2027"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "SAP BusinessObjects Business Intelligence Platform", "source": "cna", "vendor": "SAP_SE"}, "product": "sap_business_objects_business_intelligence_platform", "vendor": "sap_se"}], "analysis": {"en": {"generated_at": "2026-04-14T01:20:54.235616+00:00", "value": {"mitigation_remediation": ["Apply the latest SAP security patch for BusinessObjects Business Intelligence Platform as provided in the SAP Note 3698216", "If a patch is unavailable, limit URL input fields, perform strict escaping of query parameters, and configure the web server to block inline script execution", "Educate users to avoid clicking suspicious links and verify URL sources before accessing SAP BusinessObjects portals"], "summary": {"action": "Patch", "impact": "Information Disclosure via XSS"}, "threat_synthesis": {"affected_systems": "Vulnerable products include the SAP BusinessObjects Business Intelligence Platform. No specific affected software versions are supplied in the advisory, so all deployments of the platform that have not applied the latest SAP security patch may be at risk.", "description_and_impact": "A reflected cross\u2011site scripting flaw allows an authenticated user to embed malicious JavaScript within crafted URLs on the SAP BusinessObjects Business Intelligence Platform. When another user opens such a URL, the script runs in the victim's browser, potentially allowing the attacker to read or exfiltrate restricted information. Although the vulnerability carries a low CVSS score, it still permits the disclosure of confidential data without affecting integrity or availability.", "risk_and_exploitability": "The CVSS base score of 4.1 indicates low severity, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting a limited threat landscape. The likely attack path requires an authenticated attacker to craft a malicious URL and a separate victim user to click it; therefore the exploitability is constrained to social engineering or phishing scenarios. With the EPSS score unavailable, it is prudent to treat the risk as moderate until a real\u2011world exploit is documented."}}}}, "created": "2026-04-14T16:16:24.645119+00:00", "updated": "2026-04-14T16:31:21.111489+00:00", "vendors": ["sap_se", "sap_se$PRODUCT$sap_business_objects_business_intelligence_platform"]}