CVE-2026-24323 PUBLISHED

Multiple vulnerabilities in BSP Applications of SAP Document Management System

Assigner: sap
Reserved: 21.01.2026 Published: 10.02.2026 Updated: 10.02.2026

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 6.1

Product Status

Vendor SAP_SE
Product SAP Document Management System
Versions Default: unaffected
  • Version SAP_APPL 618 is affected
  • Version S4CORE 102 is affected
  • Version 103 is affected
  • Version 104 is affected
  • Version 105 is affected
  • Version 106 is affected
  • Version 107 is affected
  • Version 108 is affected
  • Version 109 is affected
  • Version EA-APPL 600 is affected
  • Version 602 is affected
  • Version 603 is affected
  • Version 604 is affected
  • Version 605 is affected
  • Version 606 is affected
  • Version 617 is affected

References

Problem Types