SAP Safety Be aware #3569602 covers a cross-site scripting (XSS) vulnerability in SAP Commerce, stemming from security bugs within the open-source library swagger-ui bundled with the broadly used middleware.
Tracked as CVE-2025-27434, the flawed discover function of Swagger UI creates a possible mechanism for an unauthenticated attacker to inject malicious code from distant sources via a DOM-based XSS assault. Any potential sufferer would first have to be tricked into putting a malicious payload into an enter discipline, probably through social engineering trickery.
If profitable, attackers would be capable of breach the confidentiality, integrity, and availability of the appliance — incomes the vulnerability a excessive CVSS rating of 8.8.
