SAP Security Note #3569602 covers a cross-site scripting (XSS) vulnerability in SAP Commerce, stemming from security bugs in the open-source library swagger-ui bundled with the widely used middleware.
Tracked as CVE-2025-27434, the flawed explore feature of Swagger UI creates a potential mechanism for an unauthenticated attacker to inject malicious code from remote sources through a DOM-based XSS attack. Any potential victim would first need to be tricked into placing a malicious payload into an input field, potentially via social engineering trickery.
If successful, attackers would be able to breach the confidentiality, integrity, and availability of the application — earning the vulnerability a high CVSS score of 8.8.
