{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0512", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-12-09T22:06:50.861Z", "datePublished": "2026-04-14T00:06:08.757Z", "dateUpdated": "2026-04-14T13:14:19.450Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:06:08.757Z"}, "title": "Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Supplier Relationship Management (SICF Handler in SRM Catalog)", "versions": [{"status": "affected", "version": "SRM_SERVER 702"}, {"status": "affected", "version": "713"}, {"status": "affected", "version": "714"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3645228"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0512", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:57:13.474424Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:19.450Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0512", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:57:13.474424Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:28.819Z"}}], "cna": {"title": "Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Supplier Relationship Management (SICF Handler in SRM Catalog)", "versions": [{"status": "affected", "version": "SRM_SERVER 702"}, {"status": "affected", "version": "713"}, {"status": "affected", "version": "714"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3645228"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:06:08.757Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0512", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:19.450Z", "dateReserved": "2025-12-09T22:06:50.861Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:06:08.757Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected."}], "id": "CVE-2026-0512", "lastModified": "2026-04-14T00:16:03.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T00:16:03.700", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3645228"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SRM_SERVER 702"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "713"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "714"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "SAP Supplier Relationship Management (SICF Handler in SRM Catalog)", "source": "cna", "vendor": "SAP_SE"}, "product": "supplier_relationship_management", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-14T01:25:16.017432+00:00", "value": {"mitigation_remediation": ["Verify which SAP Supplier Relationship Management installations include the SICF Handler and assess if the version is vulnerable.", "Apply the security update or patch provided in SAP Note 3645228 as soon as it is available.", "If immediate patching is not possible, block or filter malicious URLs and restrict scripting in browsers to reduce the impact.", "Continuously monitor application logs for suspicious XSS activity and conduct periodic security reviews."], "summary": {"action": "Apply Patch", "impact": "Cross-site scripting"}, "threat_synthesis": {"affected_systems": "SAP Supplier Relationship Management, specifically the SICF Handler in the SRM Catalog. No vendor\u2011specific version information is provided in the CVE data, so all installations that include this handler are potentially impacted until a patch is applied.", "description_and_impact": "The vulnerability is a browser-based cross\u2011site scripting flaw that allows an unauthenticated attacker to craft a malicious URL. When a victim follows that link, the attacker's code is executed inside the victim\u2019s browser, enabling the attacker to access or modify sensitive application data, thereby compromising confidentiality and integrity while leaving availability intact.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate risk. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation appears to require an attacker to supply a malicious link to a user, suggesting a social\u2011engineering or remote\u2011access attack vector that can be mitigated with timely patching and user awareness."}}}}, "created": "2026-04-14T16:16:36.580853+00:00", "updated": "2026-04-14T16:31:33.273423+00:00", "vendors": ["sap", "sap$PRODUCT$supplier_relationship_management"]}