CVE-2026-24325 PUBLISHED

Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console)

Assigner: sap
Reserved: 21.01.2026 Published: 10.02.2026 Updated: 10.02.2026

SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.This vulnerability has low impact on confidentiality and integrity of the data. There is no impact on the availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 4.8

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	High	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP BusinessObjects Enterprise (Central Management Console)
Versions	Default: unaffected Version ENTERPRISE 430 is affected Version 2025 is affected Version 2027 is affected

CVE-2026-24325 PUBLISHED

Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console)

Metrics

Product Status

References

Problem Types