CVE-2025-27434

Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI)

CVSS 8.8 HIGHEPSS 0.4%CWE-79

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.8EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Mar 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Due to insufficient input validation, SAP Commerce (Swagger UI) allows an unauthenticated attacker to inject the malicious code from remote sources, which can be leveraged by an attacker to execute a cross-site scripting (XSS) attack. This could lead to a high impact on the confidentiality, integrity, and availability of data in SAP Commerce.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

SAP_SE · SAP Commerce (Swagger UI)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://me.sap.com/notes/3569602 https://url.sap/sapsecuritypatchday