Intel

AIKIDO-2026-707978

@ui5/webcomponents-base is vulnerable to Inclusion of Functionality from Untrusted Control Sphere

Inclusion of Functionality from Untrusted Control Sphere Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

JS@ui5/webcomponents-base
1.12.0 - 2.17.1
Fixed in 2.17.2
Are you affected? Scan for Free

TL;DR

The framework validates the configured themeRoot in validateThemeRoot before creating the theme CSS <link> element that loads style variables. Protocol-relative URLs such as //attacker.example start with /, so they are treated as relative paths and resolved against the current page, producing the attacker origin and bypassing the origin allowlist that is enforced for other absolute cross-origin URLs. An application that lets untrusted input reach the themeRoot configuration therefore loads theme stylesheets from an attacker-controlled origin, enabling external CSS injection. The fix resolves protocol-relative and relative inputs to the current origin and only creates the link element from a validated, normalized theme root.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application has not disabled sap-ui-theme URL-parameter configuration.

Background info

@ui5/webcomponents-base is vulnerable to Inclusion of Functionality from Untrusted Control Sphere in versions 1.12.0 - 2.17.1.

How to fix this

Upgrade the @ui5/webcomponents-base library to the patch version.