setThemeRoot() failed to enforce the sap-allowed-theme...
Moderate severity
Unreviewed
Published
Jul 14, 2026
to the GitHub Advisory Database
•
Updated Jul 14, 2026
Description
Published by the National Vulnerability Database
Jul 14, 2026
Published to the GitHub Advisory Database
Jul 14, 2026
Last updated
Jul 14, 2026
setThemeRoot() failed to enforce the sap-allowed-theme-origins allowlist. An attacker-controlled absolute cross-origin URL could be stored and used directly to construct a element, even when no tag was present in the document. The same bypass was reachable via the ?sap-themeRoot URL parameter.Exploitation requires attacker-influenced input (e.g., a URL query parameter, tenant configuration, or user-supplied setting) to reach setThemeRoot(). A successful exploit allows an attacker to inject arbitrary CSS into the victim page, enabling:- UI redressing and clickjacking- Phishing overlays- Visual defacement- Limited data exfiltration via CSS attribute selectors targeting predictable DOM content
References