medium2026-04-14SAP SRMCVE-2026-0512

Cross-Site Scripting (XSS) in SAP Supplier Relationship Management

SAP Supplier Relationship Management (SICF Handler in SRM Catalog)

Our Take

Unauthenticated XSS on a procurement catalog is a real phishing risk in organizations where SRM is user-facing. If your SRM catalog is internet-accessible, move this up.

Vulnerability Detail

An unauthenticated attacker can craft a malicious URL that, when accessed by a victim, executes malicious scripts in the victim's browser via the SRM Catalog ICF service. Confidentiality and integrity are affected.

Patch Action

Apply SAP Note 3645228.

Affected Versions

SRM_SERVER 702

713

714

Patch Info

Timing

🟡 Next patch window

CVSS Score

6.1

SAP Note

3645228 ↗

CVE

CVE-2026-0512

Published

2026-04-14

Timing recommendations are editorial. Verify against official SAP Security Notes before acting on production systems.

← All patches