Detections
Analytics
SAP NetWeaver AS Java Reflected XSS (3723655)
medium Nessus Plugin ID 320860
Synopsis
The remote SAP NetWeaver AS Java server is affected by a cross-site scripting vulnerability.Description
The version of SAP NetWeaver Application Server Java detected on the remote host is affected by a reflected cross-site scripting vulnerability as referenced in SAP Security Note 3723655:- Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver JAVA (JDBC Test Servlet), an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser. This could allow the attacker to access and/or modify information related to the webclient, impacting the confidentiality and integrity of the application, with no impact to availability. (CVE-2026-44746)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Apply the appropriate patch according to the vendor advisory.See Also
Plugin Details
Severity: Medium
ID: 320860
File Name: sap_netweaver_as_java_3723655.nasl
Version: 1.1
Type: Remote
Family: Web Servers
Published: 6/12/2026
Updated: 6/12/2026
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS Score Source: CVE-2026-44746
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Information
CPE: cpe:/a:sap:netweaver_application_server
Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport
Exploit Ease: No known exploits are available
Patch Publication Date: 6/9/2026
Vulnerability Publication Date: 6/9/2026
Reference Information
CVE: CVE-2026-44746
IAVA: 2026-A-0556