SAP Enterprise Application Software
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any SAP product.
RSS Feeds for SAP security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in SAP products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by SAP Sorted by Most Security Vulnerabilities since 2018
Recent SAP Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-02-10 | SAP Security Patch Day - February 2026 | February 10, 2026 |
| 2026-01-13 | SAP Security Patch Day - January 2026 | January 13, 2026 |
| 2025-12-09 | SAP Security Patch Day - December 2025 | December 9, 2025 |
| 2025-11-11 | SAP Security Patch Day - November 2025 | November 11, 2025 |
| 2025-10-12 | SAP Security Patch Day - October 2025 | October 12, 2025 |
| 2025-09-12 | SAP Security Patch Day - September 2025 | September 12, 2025 |
| 2025-08-12 | SAP Security Patch Day - August 2025 | August 12, 2025 |
| 2025-07-12 | SAP Security Patch Day - July 2025 | July 12, 2025 |
| 2025-06-12 | SAP Security Patch Day - June 2025 | June 12, 2025 |
| 2025-05-12 | SAP Security Patch Day – May 2025 | May 12, 2025 |
Known Exploited SAP Vulnerabilities
The following SAP vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| SAP NetWeaver Deserialization Vulnerability |
SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content. CVE-2025-42999 Exploit Probability: 65.7% |
May 15, 2025 |
| SAP NetWeaver Unrestricted File Upload Vulnerability |
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries. CVE-2025-31324 Exploit Probability: 35.3% |
April 29, 2025 |
| SAP NetWeaver Directory Traversal Vulnerability |
SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string. CVE-2017-12637 Exploit Probability: 93.2% |
March 19, 2025 |
| SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability |
SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection. CVE-2019-0344 Exploit Probability: 40.6% |
September 30, 2024 |
| SAP Multiple Products HTTP Request Smuggling Vulnerability |
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches. CVE-2022-22536 Exploit Probability: 93.8% |
August 18, 2022 |
| SAP NetWeaver Unrestricted File Upload vulnerability |
SAP NetWeaver contains a vulnerability that allows unrestricted file upload. CVE-2021-38163 Exploit Probability: 84.8% |
June 9, 2022 |
| SAP NetWeaver SQL Injection Vulnerability |
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CVE-2016-2386 Exploit Probability: 44.0% |
June 9, 2022 |
| SAP NetWeaver Information Disclorsure Vulnerability |
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request. CVE-2016-2388 Exploit Probability: 62.3% |
June 9, 2022 |
| SAP NetWeaver AS JAVA CRM Remote Code Execution Vulnerability |
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. CVE-2018-2380 Exploit Probability: 45.5% |
November 3, 2021 |
| SAP NetWeaver AS JAVA Remote Code Execution Vulnerability |
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request. CVE-2010-5326 Exploit Probability: 16.9% |
November 3, 2021 |
| SAP NetWeaver AS JAVA XXE Vulnerability |
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909. CVE-2016-9563 Exploit Probability: 58.4% |
November 3, 2021 |
| SAP Netweaver JAVA remote unauthenticated access vulnerability |
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system. CVE-2020-6287 Exploit Probability: 94.4% |
November 3, 2021 |
| SAP Solution Manager Missing Authentication Check Complete Compromise of SMD Agents vulnerability |
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. CVE-2020-6207 Exploit Probability: 94.2% |
November 3, 2021 |
| SAP NetWeaver AS Java 7.1 - 7.5 Directory Traversal Vulnerability |
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. CVE-2016-3976 Exploit Probability: 81.5% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 7 known exploited SAP vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 48 vulnerabilities in SAP with an average score of 6.2 out of ten. Last year, in 2025 SAP had 202 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in SAP in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.00
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 48 | 6.21 |
| 2025 | 202 | 6.22 |
| 2024 | 106 | 6.11 |
| 2023 | 167 | 6.71 |
| 2022 | 188 | 6.70 |
| 2021 | 204 | 6.74 |
| 2020 | 207 | 7.48 |
| 2019 | 123 | 6.67 |
| 2018 | 127 | 6.94 |
It may take a day or so for new SAP vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent SAP Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-24314 | Feb 24, 2026 |
Authenticated Info Disclosure in SAP S/4HANA Payment MediaUnder certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which would otherwise be restricted. This could cause low impact on confidentiality of the application while integrity and availability are not impacted. |
S4hana
|
| CVE-2026-24328 | Feb 10, 2026 |
SAP TAF_APPLAUNCHER Open Redirect via crafted linkSAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposing or altering sensitive information in the victims browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application. |
|
| CVE-2026-24327 | Feb 10, 2026 |
SAP Strategic Enterprise Management - Unauthorized Access via Missing Auth CheckDue to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This leads to low impact on confidentiality and no effect on integrity or availability. |
|
| CVE-2026-24326 | Feb 10, 2026 |
SAP S/4HANA DefSec: Missing Auth in Disconnected Ops Enables FM Table UpdateDue to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application. |
S4hana
|
| CVE-2026-24325 | Feb 10, 2026 |
SAP BusinessObjects Enterprise Stored XSS via inadequate input encodingSAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScript into a website and the injected script gets executed when the user visits the compromised page.This vulnerability has low impact on confidentiality and integrity of the data. There is no impact on the availability of the application. |
Businessobjects
|
| CVE-2026-24324 | Feb 10, 2026 |
SAP BusinessObjects BI Platform AdminTools Denial-of-Service via CMS CrashSAP BusinessObjects Business Intelligence Platform (AdminTools) allows an authenticated attacker with user privileges to execute a specific query in AdminTools that could cause the Content Management Server (CMS) to crash, rendering the CMS partially or completely unavailable and resulting in the denial of service of the Content Management Server (CMS). Successful exploitation impacts system availability, while confidentiality and integrity remain unaffected. |
Businessobjects Business Intelligence Platform
|
| CVE-2026-24323 | Feb 10, 2026 |
XSS in BSP Web App via Unsanitized URL ParamsThe BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victims browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application. |
|
| CVE-2026-24322 | Feb 10, 2026 |
Authorization Bypass in SAP ST-PI Enables Sensitive Data DisclosureSAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability. |
|
| CVE-2026-24321 | Feb 10, 2026 |
SAP Commerce Cloud Open API Endpoint Disclosure (Unauth)SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability. |
Commerce Cloud
|
| CVE-2026-24320 | Feb 10, 2026 |
SAP NetWeaver ABAP MemCorrupt Exploit CVE-2026-24320Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may result in memory corruption and the potential leakage of memory content. Successful exploitation of this vulnerability would have a low impact on the confidentiality of the application, with no effect on its integrity or availability. |
NetWeaver
|
| CVE-2026-24319 | Feb 10, 2026 |
CVE-2026-24319: SAP Business One Memory Dump Info DisclosureIn SAP Business One, sensitive information is written to the applications memory dump files without obfuscation. Gaining access to this information could potentially lead to unauthorized operations within the B1 environment, including modification of company data. This issue results in a high impact on confidentiality and integrity, with no impact on availability. |
Business One
|
| CVE-2026-24312 | Feb 10, 2026 |
SAP Business Workflow Priv Escalation via Auth CheckAn erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenticated administrative user can bypass role restrictions by leveraging permissions from a less sensitive function to execute unauthorized, high-privilege actions. This has a high impact on data integrity, with low impact on confidentiality and no impact on availability of the application. |
|
| CVE-2026-23689 | Feb 10, 2026 |
DoS via uncontrolled loop in SAP NetWeaver Remote-Enabled FunctionDue to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected. |
|
| CVE-2026-23688 | Feb 10, 2026 |
SAP Fiori App Manage Service Entry Sheets PrivEsc via Missing Auth ChecksSAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on integrity, confidentiality and availability are not impacted. |
|
| CVE-2026-23687 | Feb 10, 2026 |
SAP NetWeaver ABAP Signed XML Tampering AttackSAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage. |
NetWeaver
|
| CVE-2026-23686 | Feb 10, 2026 |
CRLF Injection in SAP NetWeaver Application Server JavaDue to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If processed by the application, this content enables injection of untrusted entries into generated configuration, allowing manipulation of application-controlled settings. Successful exploitation leads to a low impact on integrity, while confidentiality and availability remain unaffected. |
Netweaver Application Server Java
|
| CVE-2026-23685 | Feb 10, 2026 |
SAP NetWeaver JMS Deserialization: High Impact DoSDue to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected. |
NetWeaver
|
| CVE-2026-23684 | Feb 10, 2026 |
SAP Commerce Cloud Cart Entry Race ConditionA race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in a cart entry being created with erroneous product value which could be checked out. This leads to high impact on data integrity, with no impact on data confidentiality or availability of the application. |
Commerce Cloud
|
| CVE-2026-23681 | Feb 10, 2026 |
SAP Support Tools Plug-In: Function-Module Authorization BypassDue to missing authorization check in a function module in SAP Support Tools Plug-In, an authenticated attacker could invoke specific function modules to retrieve information about the system and its configuration. This disclosure of the system information could assist the attacker to plan subsequent attacks. This vulnerability has a low impact on the confidentiality of the application, with no effect on its integrity or availability. |
|
| CVE-2026-0509 | Feb 10, 2026 |
SAP NetWeaver App Server ABAP Remote Function Call Auth ByPassSAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application. |
Netweaver Application Server Abap
|
| CVE-2026-0508 | Feb 10, 2026 |
SAP BusinessObjects BI Platform: Authenticated URL Redirection to Malicious SiteThe SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker with high privileges to insert malicious URL within the application. Upon successful exploitation, the victim may click on this malicious URL, resulting in an unvalidated redirect to the attacker-controlled domain and subsequently download the malicious content. This vulnerability has a high impact on the confidentiality and integrity of the application, with no effect on the availability of the application. |
Businessobjects Business Intelligence Platform
|
| CVE-2026-0505 | Feb 10, 2026 |
Unvalidated URL Redirection in BSP Applications (CVE-2026-0505)The BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not sufficiently validated. This could result in unvalidated redirection to attacker-controlled websites, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application. |
|
| CVE-2026-0490 | Feb 10, 2026 |
Availability outage in SAP BO BI Platform via Trusted Endpoint auth bypassSAP BusinessObjects BI Platform allows an unauthenticated attacker to craft a specific network request to the trusted endpoint that breaks the authentication, which prevents the legitimate users from accessing the platform. As a result, it has a high impact on the availability but no impact on the confidentiality and integrity. |
Businessobjects Bi Platform
Businessobjects Business Intelligence Platform
|
| CVE-2026-0488 | Feb 10, 2026 |
SAP S/4HANA & CRM Scripting Editor Arbitrary SQL InjectionAn authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability. |
S4hana
|
| CVE-2026-0486 | Feb 10, 2026 |
SAP ABAP Remote Function Module Auth Bypass Exposes System InfoIn ABAP based SAP systems a remote enabled function module does not perform necessary authorization checks for an authenticated user resulting in disclosure of system information.This has low impact on confidentiality. Integrity and availability are not impacted. |
|
| CVE-2026-0485 | Feb 10, 2026 |
Unauthenticated CMS Crash (CVE-2026-0485) in SAP BusinessObjects BI PlatformSAP BusinessObjects BI Platform allows an unauthenticated attacker to send specially crafted requests that could cause the Content Management Server (CMS) to crash and automatically restart. By repeatedly submitting these requests, the attacker could induce a persistent service disruption, rendering the CMS completely unavailable. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected. |
Businessobjects Bi Platform
Businessobjects
|
| CVE-2026-0484 | Feb 10, 2026 |
Auth Bypass in SAP NetWeaver ABAP Tx Code Enables Data TamperingDue to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. This vulnerability has a high impact on integrity of the application with no effect on the confidentiality and availability. |
Netweaver Application Server Abap
|
| CVE-2020-37022 | Jan 30, 2026 |
OpenZ ERP <3.6.60 XSS in Employee ModuleOpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. |
Erp
|
| CVE-2026-23683 | Jan 27, 2026 |
SAP Fiori Auth Bypass in Intercompany Balance ReconciliationSAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted. |
|
| CVE-2026-0514 | Jan 13, 2026 |
XSS in SAP Business Connector Allows Redirection to Malicious SiteDue to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability. |
Sap Business Connector
|
| CVE-2026-0513 | Jan 13, 2026 |
Open Redirect in SAP SRM SICF Handler (CVE-2026-0513)Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted. |
|
| CVE-2026-0511 | Jan 13, 2026 |
Privilege Escalation in SAP Fiori Intercompany Balance AppSAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted. |
|
| CVE-2026-0510 | Jan 13, 2026 |
SAP NetWeaver AS Java UME Uses Obsolete Crypto, Enabling Partial Data DisclosureThe User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application. |
|
| CVE-2026-0507 | Jan 13, 2026 |
SAP AppSrv ABAP OS Command Injection via RFC SDKDue to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the systems confidentiality, integrity, and availability. |
NetWeaver
|
| CVE-2026-0506 | Jan 13, 2026 |
SAP ABAP Missing Auth Check: RFC Enables FORM Exec (CVE-2026-0506)Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected. |
Netweaver Application Server Abap
|
| CVE-2026-0504 | Jan 13, 2026 |
SAP IDM REST JNDI RCE via Malicious InputDue to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability. |
Identity Management
|
| CVE-2026-0503 | Jan 13, 2026 |
SAP ECC/S4HANA: Missing Auth Bypass Expose Hardcoded Creds (CVE-2026-0503)Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability. |
S4hana
|
| CVE-2026-0501 | Jan 13, 2026 |
SAP S/4HANA Private Cloud/On-Prem SQL Injection in FGLDue to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application. |
S4hana
|
| CVE-2026-0500 | Jan 13, 2026 |
SAP Wily Introscope JNLP RCE VulnerabilityDue to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system. |
|
| CVE-2026-0499 | Jan 13, 2026 |
SAP NetWeaver EW Portal XSS via URL ReflectionsSAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability. |
Netweaver Enterprise Portal
|
| CVE-2026-0498 | Jan 13, 2026 |
SAP S/4HANA RFC Code Injection BackdoorSAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. |
S4hana
|
| CVE-2026-0497 | Jan 13, 2026 |
SAP Product Designer Web UI Bypass Auth - Non-Admin Info DisclosureSAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application. |
|
| CVE-2026-0496 | Jan 13, 2026 |
SAP Fiori App file upload without validation (CVE-2026-0496)SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application. |
|
| CVE-2026-0495 | Jan 13, 2026 |
SAP Fiori Intercompany Reconciliation Email Injection via Uploaded FilesSAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application. |
|
| CVE-2026-0494 | Jan 13, 2026 |
SAP Fiori Intercompany Balance Recon: Restricted Data ExposureUnder certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted. |
|
| CVE-2026-0493 | Jan 13, 2026 |
SAP Fiori App CSRF: Unintended StateChanging ActionsDue to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability. |
|
| CVE-2026-0492 | Jan 13, 2026 |
SAP HANA Privilege Escalation via User SwitchingSAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the systems confidentiality, integrity, and availability. |
Hana Database
|
| CVE-2026-0491 | Jan 13, 2026 |
SAP LT RFC Function Module Exploit Allows Admin to Inject ABAP/OS CodeSAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. |
|
| CVE-2025-42928 | Dec 09, 2025 |
SAP jConnect High-Privileged Deserialization RCEUnder certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on confidentiality, integrity and availability of the system. |
|
| CVE-2025-42904 | Dec 09, 2025 |
Info Disclosure in SAP ABAP App Server via Unmasked ABAP ListsDue to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability. |