CVE-2026-34258 - Vulnerability Details - OpenCVE

SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap Se	Sapui5 (search Ui)

No data.

No data.

References

Link	Providers
https://www.spirityenterprise.com/sap-hana
https://www.spirityenterprise.com/sap-hana-migration
https://me.sap.com/notes/3726583
https://url.sap/sapsecuritypatchday

History

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sapui5 (search Ui)
Vendors & Products		Sap Se Sap Se sapui5 (search Ui)

Tue, 12 May 2026 03:00:00 +0000

Type	Values Removed	Values Added
Description		SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.
Title		Content Spoofing vulnerability in SAPUI5 (Search UI)
Weaknesses		CWE-451
References		https://me.sap.com/notes/3726583 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-05-12T02:19:41.585Z

Updated: 2026-05-12T13:10:03.038Z

Reserved: 2026-03-26T19:02:45.982Z

Link: CVE-2026-34258

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T03:16:11.247

Modified: 2026-05-12T03:16:11.247

Link: CVE-2026-34258

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34258", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-03-26T19:02:45.982Z", "datePublished": "2026-05-12T02:19:41.585Z", "dateUpdated": "2026-05-12T13:10:03.038Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-05-12T02:19:41.585Z"}, "title": "Content Spoofing vulnerability in SAPUI5 (Search UI)", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-451", "description": "CWE-451: User Interface Misrepresentation of Critical Information", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAPUI5 (Search UI)", "versions": [{"status": "affected", "version": "SAPUI5 1.108"}, {"status": "affected", "version": "1.120"}, {"status": "affected", "version": "1.136"}, {"status": "affected", "version": "1.142"}, {"status": "affected", "version": "1.71"}, {"status": "affected", "version": "1.84"}, {"status": "affected", "version": "1.96"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3726583"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-12T13:09:52.175406Z", "id": "CVE-2026-34258", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-12T13:10:03.038Z"}}]}}