CVE-2026-0505

Published: Feb 10, 2026Modified: Feb 17, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: CNA

Description

The BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled websites, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.

Affected (15)

Products: Sap: Document Management System, Erp, S4core

Sap

3 products

Document Management System

Erp

S4core

Configuration A

15 vulnerable

Vulnerable Software	Affected Versions
Sap Document Management System	Version 600
Sap Document Management System	Version 602
Sap Document Management System	Version 603
Sap Document Management System	Version 604
Sap Document Management System	Version 605
Sap Document Management System	Version 606
Sap Document Management System	Version 617
Sap Erp	Version 618
Sap S4core	Version 102
Sap S4core	Version 103
Sap S4core	Version 104
Sap S4core	Version 105
Sap S4core	Version 106
Sap S4core	Version 107
Sap S4core	Version 108

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://me.sap.com/notes/3678417

Source: cna@sap.com

Permissions Required

https://url.sap/sapsecuritypatchday

Source: cna@sap.com

Vendor Advisory

Timeline

No history available yet.