CVE-2026-44767
The CVE-2026-44767 issue arises from setThemeRoot() not enforcing the sap-allowed-theme-origins allowlist, allowing an attacker-controlled absolute cross-origin URL to be stored and used in a element even without a sap-allowed-theme-origins meta tag. The same bypass is reachable via the ?sap-the...