SAP SAP Enterprise Application Software

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any SAP product.

RSS Feeds for SAP security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in SAP products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by SAP Sorted by Most Security Vulnerabilities since 2018

SAP NetWeaver79 vulnerabilities

SAP Netweaver As Abap45 vulnerabilities

SAP S4hana44 vulnerabilities

SAP Solution Manager33 vulnerabilities

SAP Business One32 vulnerabilities

SAP Netweaver Abap24 vulnerabilities

SAP Businessobjects23 vulnerabilities

SAP Commerce Cloud23 vulnerabilities

SAP Enable Now15 vulnerabilities

SAP Web Dispatcher14 vulnerabilities

SAP Abap Platform13 vulnerabilities

SAP Host Agent13 vulnerabilities

SAP Hana12 vulnerabilities

SAP S4core11 vulnerabilities

SAP Financial Consolidation10 vulnerabilities

SAP Cloud Connector9 vulnerabilities

SAP Commerce9 vulnerabilities

SAP Landscape Management8 vulnerabilities

SAP Business Warehouse8 vulnerabilities

SAP S4 Hana7 vulnerabilities

SAP Basis7 vulnerabilities

SAP Hana Database7 vulnerabilities

SAP Sql Anywhere6 vulnerabilities

SAP Powerdesigner6 vulnerabilities

SAP Erp5 vulnerabilities

SAP Fiori Launchpad5 vulnerabilities

SAP Gui For Windows5 vulnerabilities

Sap Business Connector5 vulnerabilities

SAP Identity Management5 vulnerabilities

SAP Bw4hana5 vulnerabilities

SAP Content Server5 vulnerabilities

SAP Fiori4 vulnerabilities

SAP Commoncryptolib4 vulnerabilities

SAP Diagnostics Agent4 vulnerabilities

Sapcar4 vulnerabilities

SAP Gateway3 vulnerabilities

SAP Crm Webclient Ui3 vulnerabilities

SAP Bank Account Management2 vulnerabilities

Recent SAP Security Advisories

Advisory Title Published
2026-07-14 SAP Security Patch Day - July 2026 July 14, 2026
2026-06-10 SAP Security Patch Day - June 2026 June 10, 2026
2026-05-12 SAP Security Patch Day - May 2026 May 12, 2026
2026-04-14 SAP Security Patch Day - April 2026 April 14, 2026
2026-03-11 SAP Security Patch Day - March 2026 March 11, 2026
2026-02-10 SAP Security Patch Day - February 2026 February 10, 2026
2026-01-13 SAP Security Patch Day - January 2026 January 13, 2026
2025-12-09 SAP Security Patch Day - December 2025 December 9, 2025
2025-11-11 SAP Security Patch Day - November 2025 November 11, 2025
2025-10-12 SAP Security Patch Day - October 2025 October 12, 2025

Known Exploited SAP Vulnerabilities

The following SAP vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
SAP NetWeaver Deserialization Vulnerability SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.
CVE-2025-42999 Exploit Probability: 11.2%
May 15, 2025
SAP NetWeaver Unrestricted File Upload Vulnerability SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
CVE-2025-31324 Exploit Probability: 99.4%
April 29, 2025
SAP NetWeaver Directory Traversal Vulnerability SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string.
CVE-2017-12637 Exploit Probability: 94.6%
March 19, 2025
SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection.
CVE-2019-0344 Exploit Probability: 7.1%
September 30, 2024
SAP Multiple Products HTTP Request Smuggling Vulnerability SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches.
CVE-2022-22536 Exploit Probability: 97.9%
August 18, 2022
SAP NetWeaver Unrestricted File Upload vulnerability SAP NetWeaver contains a vulnerability that allows unrestricted file upload.
CVE-2021-38163 Exploit Probability: 35.4%
June 9, 2022
SAP NetWeaver SQL Injection Vulnerability SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2016-2386 Exploit Probability: 71.1%
June 9, 2022
SAP NetWeaver Information Disclorsure Vulnerability The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request.
CVE-2016-2388 Exploit Probability: 51.6%
June 9, 2022
SAP NetWeaver AS JAVA CRM Remote Code Execution Vulnerability SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
CVE-2018-2380 Exploit Probability: 28.9%
November 3, 2021
SAP NetWeaver AS JAVA Remote Code Execution Vulnerability The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request.
CVE-2010-5326 Exploit Probability: 17.5%
November 3, 2021
SAP NetWeaver AS JAVA XXE Vulnerability BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
CVE-2016-9563 Exploit Probability: 23.8%
November 3, 2021
SAP Netweaver JAVA remote unauthenticated access vulnerability SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system.
CVE-2020-6287 Exploit Probability: 94.7%
November 3, 2021
SAP Solution Manager Missing Authentication Check Complete Compromise of SMD Agents vulnerability SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
CVE-2020-6207 Exploit Probability: 98.3%
November 3, 2021
SAP NetWeaver AS Java 7.1 - 7.5 Directory Traversal Vulnerability Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
CVE-2016-3976 Exploit Probability: 46.6%
November 3, 2021

Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 7 known exploited SAP vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 131 vulnerabilities in SAP with an average score of 6.3 out of ten. Last year, in 2025 SAP had 207 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in SAP in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.08.




Year Vulnerabilities Average Score
2026 131 6.31
2025 207 6.23
2024 106 6.11
2023 167 6.71
2022 188 6.70
2021 204 6.74
2020 207 7.48
2019 124 6.70
2018 127 6.94

It may take a day or so for new SAP vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent SAP Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-44767 Jul 14, 2026
SAP UI5 setThemeRoot() CSS Injection XSS for UI Redressing setThemeRoot() failed to enforce the sap-allowed-theme-origins allowlist. An attacker-controlled absolute cross-origin URL could be stored and used directly to construct a <link rel=stylesheet> element, even when no <meta name=sap-allowed-theme-origins> tag was present in the document. The same bypass was reachable via the ?sap-themeRoot URL parameter.Exploitation requires attacker-influenced input (e.g., a URL query parameter, tenant configuration, or user-supplied setting) to reach setThemeRoot(). A successful exploit allows an attacker to inject arbitrary CSS into the victim page, enabling:- UI redressing and clickjacking- Phishing overlays- Visual defacement- Limited data exfiltration via CSS attribute selectors targeting predictable DOM content
CVE-2026-58233 Jul 14, 2026
SAP ctsattach Insecure Deserialization RCE via Malicious Archive SAP Change and Transport System Attach Tool (ctsattach) allows an authenticated attacker to supply a specially crafted archive file which, when processed by the applications library, can trigger insecure deserialization and lead to remote code execution (RCE) on the system. Successful exploitation requires a victim to process the malicious archive, enabling the attacker to execute the RCE and extract sensitive information and gain control over the system and its processes. This vulnerability has a high impact on confidentiality and integrity of the data, with a low impact on the availability of the system.
CVE-2026-44771 Jul 14, 2026
SAP S/4HANA Draft Auth Bypass Escalation of Privileges SAP S/4HANA Draft operation does not perform necessary authorization checks for an authenticated user, a restricted user could access information within the entity resulting in escalation of privileges. This results in low impact on confidentiality, with no impact on integrity and availability of the application.
S4hana
CVE-2026-44770 Jul 14, 2026
SAP S/4HANA CPS Payment Auth Bypass SAP Create Single Payment does not perform necessary authorization checks for an authenticated user, a restricted user could access specific entity set keys resulting in disclosure of information. This has low impact on confidentiality, with no impact on integrity and availability of the application.
S4hana
CVE-2026-44769 Jul 14, 2026
High-Privilege DB Query Execution Exposing Backend in SAP S/4HANA PPM-PRO SAP S/4HANA application Project Management (PPM-PRO) allows an attacker with high privileges to execute crafted database queries, exposing the backend database. This results in low impact on confidentiality, with no impact on integrity and availability of the application.
S4hana
CVE-2026-44768 Jul 14, 2026
SAP CRM WebClient UI CSP Bypass Allows XSS Injection SAP CRM WebClient UI allows an attacker to inject and execute malicious scripts in the context of the application due to the absence of a Content Security Policy (CSP) configuration for certain restrictive directives. This vulnerability has a low impact on the integrity of the application. Confidentiality and availability are not impacted.
Crm Webclient Ui
CVE-2026-44761 Jul 14, 2026
SAP Commerce Cloud OAuth2 Sample Credentials Leak Unauthorized API Access SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data. Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability.
Commerce Cloud
CVE-2026-44760 Jul 14, 2026
SAP NetWeaver ABAP XSS Improper Input Sanitization Due to a Cross-Site Scripting (XSS) vulnerability, applications based on Business Server Pages framework in SAP NetWeaver Application Server ABAP reflects unsanitized input into the HTTP response which allows an attacker to inject and execute arbitrary JavaScript code under certain conditions. Successful exploitation could allow the attacker to steal session information, perform authenticated actions on behalf of the victim user etc. This vulnerability has low impact on confidentiality and integrity of the data and no impact on application 's availability.
Netweaver Application Server Abap
CVE-2026-44759 Jul 14, 2026
SAP NetWeaver EW Portal Reflected XSS via URL param SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability.
Netweaver Enterprise Portal
CVE-2026-44753 Jul 14, 2026
Unauth Resp-Disposition Enum in SAP HANA User Self Service Tools SAP HANA Database (user self service tools) allows an unauthenticated user to send specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts, resulting in low impact on confidentiality, with no impact on integrity and availability of the application.
Hana Extended Application Services
CVE-2026-44752 Jul 14, 2026
SAP NetWeaver AS Java: Unauth XSS via crafted URL injection SAP NetWeaver Application Server Java allows an unauthenticated attacker to inject malicious JavaScript through crafted URLs. When a victim accesses such a URL, the script executes in the user's browser, allowing the attacker to access sensitive session information and modify non-sensitive data displayed in the clients browser. This results in a high impact on confidentiality, low impact on integrity with no impact on availability of the application.
Netweaver Application Server Java
CVE-2026-44747 Jul 14, 2026
SAP NetWeaver ABAP Memory Corruption Authenticated RCE SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability. This has high impact on confidentiality, integrity, and availability of the application.
Netweaver Application Server Abap
CVE-2026-44745 Jul 14, 2026
SAP Approuter OAuth2 Header Validation Flaw (CVE202644745) SAP Approuter does not properly validate incoming request headers during the OAuth2 login flow under certain configurations. This allows an unauthenticated remote attacker to craft a malicious link which, when clicked by a victim, could lead to unauthorized access. Successful exploitation results in a high impact to the confidentiality and integrity with no impact on the availability of the application.
CVE-2026-27690 Jul 14, 2026
HTTP Req Smuggling in SAP Approuter: High-Impact CnC/AV Due to an HTTP Request Smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send a specially crafted HTTP request that leads to request-response desynchronization. This could result in the exposure of user responses and cause the system to become unavailable. This leads to a high impact on confidentiality and availability.
CVE-2026-0487 Jul 14, 2026
SAProuter Windows: DLL Hijack Enables Arbitrary Code Exec SAProuter on Microsoft Windows allows an unauthenticated attacker to load library (DLL) files from an untrusted location, allowing them to execute malicious code on the system. This could enable the attacker to hijack the DLL loading process and achieve arbitrary code execution. This has high impact on confidentiality, integrity and availability of the system.
CVE-2026-44757 Jun 09, 2026
XSS in SAP Wily Introscope Enterprise Manager SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the users browser within the context of the application. This issue has a low impact on the confidentiality and integrity of the application with no impact on availability.
CVE-2026-44755 Jun 09, 2026
SAP BusinessObjects BI Platform: Email Spoofing via Unvalidated Send Params SAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated users, resulting in an email spoofing vulnerability.This vulnerability has a low impact on integrity and does not affect the confidentiality and availability of the application.
Business Objects Business Intelligence Platform
CVE-2026-44754 Jun 09, 2026
SAP ODP-RFC API - Caller Identification Missing Opens Data Disclosure The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.
CVE-2026-44751 Jun 09, 2026
SAP ABAP Report Auth Bypass => Priv Escalation Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application.
NetWeaver
CVE-2026-44750 Jun 09, 2026
SAP MDG Review Match Groups App Auth Bypass Enables Priv Esc SAP MDG (Review Match Groups Application) does not perform the necessary authorization checks for authenticated users. This could allow a low-privileged user to perform actions that would otherwise be restricted, resulting in escalation of privileges. This has a low impact on integrity, while confidentiality and availability are not impacted.
CVE-2026-44748 Jun 09, 2026
SAP NetWeaver ABAP Signed XML Tampering via Authenticated Attack SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.
NetWeaver
CVE-2026-44746 Jun 09, 2026
XSS in SAP NetWeaver Java JDBC Test Servlet Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver JAVA (JDBC Test Servlet), an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser. This could allow the attacker to access and/or modify information related to the webclient, impacting the confidentiality and integrity of the application, with no impact to availability.
NetWeaver
CVE-2026-44744 Jun 09, 2026
SQLi in SAP S/4HANA Remote Function Module (Auth, High Conf Impact) SAP S/4HANA(On-Premise) contains SQL injection vulnerability in a remote-enabled function module component that could be exploited by an authenticated attacker to potentially execute unauthorized database queries.This flaw exposes sensitive information to which they should not otherwise have access to. The vulnerability has a high impact on the confidentiality of the data with no impact on the integrity and availability of the application.
S4hana
CVE-2026-44743 Jun 09, 2026
SAP Business Objects Info Leak via Unauthorized Endpoint Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application.
Businessobjects
CVE-2026-40128 Jun 09, 2026
Path Traversal via FileInclusion in SAP NetWeaver App Server Web Container SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable.
Netweaver Application Server Java
CVE-2026-27671 Jun 09, 2026
SAP NetWeaver ABAP: Kernel RFC Memory Corruption Vulnerability Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.
NetWeaver
CVE-2026-24315 Jun 09, 2026
SAP Fiori Launchpad URL Manipulation Enables Credential Theft SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted.
Fiori Launchpad
CVE-2026-44749 May 26, 2026
SAP Gtw ErrMsg Injection Exposes URI Parse Logic The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leading to low impact on confidentiality. Integrity and availability are unaffected.
Gateway
CVE-2026-27680 May 14, 2026
CVE-2026-27680: SAP NetWeaver ABAP CSS Injection (Low Conf) Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result, the issue has a low impact on confidentiality, while integrity and availability are not impacted.
Netweaver Application Server Abap
CVE-2026-43515 May 12, 2026
Apache Tomcat Flaw via Multiple HTTP Methods (pre-9.0.118/10.1.55/11.0.22) Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
CVE-2026-43512 May 12, 2026
Apache Tomcat Auth Bypass via Digest Auth (<=9.0.117, 10.1.54, 11.0.21) DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
CVE-2026-41293 May 12, 2026
Apache Tomcat Improper Input Validation (v10-11.x) Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
CVE-2026-40137 May 12, 2026
SAP BSP TAF_APPLAUNCHER Unauth Link Redirect (XSS) SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victims browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
CVE-2026-40136 May 12, 2026
SAP Financial Consolidation Authenticated Session Termination SAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access. However, the application itself cannot be compromised resulting in a low impact on availability. There is no impact on confidentiality and integrity of the data
Financial Consolidation
CVE-2026-40135 May 12, 2026
OS Cmd Injection in SAP NetWeaver App Server ABAP An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.
Netweaver Application Server Abap
CVE-2026-40134 May 12, 2026
SAP ICM Remote Function Exec Bypass Auth - Low Integrity Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
CVE-2026-40133 May 12, 2026
CVE-2026-40133: Auth Bypass in SAP S/4HANA Condition Maintenance Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of the data. Additionally, this vulnerability may prevent the legitimate user from accessing the records, causing low impact on application availability.
S4hana
CVE-2026-40132 May 12, 2026
SAP Strategic Enterprise Management SBSP Auth Bypass (CVE-2026-40132) Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the applications availability.
CVE-2026-40131 May 12, 2026
SQLi in @sap/hdi-deploy: unauth param injection alters SELECT SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.
Hana
CVE-2026-40129 May 12, 2026
SAP ABAP Server Code Injection Enables Arbitrary Exec Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.
NetWeaver
CVE-2026-34263 May 12, 2026
SAP Commerce Cloud - Spring Security Misconfig Allows Remote Code Execution Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
Commerce Cloud
CVE-2026-34260 May 12, 2026
SAP Enterprise Search ABAP SQL Injection SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
S4hana
CVE-2026-34259 May 12, 2026
OS Cmd Exec in SAP Forecasting & Replenishment Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.
CVE-2026-34258 May 12, 2026
SAPUI5 Search UI XSS via URL Parameter Manipulation SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.
CVE-2026-27682 May 12, 2026
Reflected XSS in SAP NetWeaver ABAP via unprotected URL param Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victims browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.
Netweaver Application Server Abap
CVE-2026-0502 May 12, 2026
SAP BO BIP CSRF Authenticated Request Forgery Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no impact on confidentiality of the data.
Businessobjects Business Intelligence Platform
CVE-2026-33454 Apr 27, 2026
Apache Camel Mail Header Injection via camel-mail (3.04.18.1) The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
CVE-2026-40453 Apr 27, 2026
Apache Camel RCE via HeaderFilterStrategy Injection (pre-4.20.0) The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
CVE-2026-40860 Apr 27, 2026
Apache Camel JmsBinding Deserialization RCE before 4.20.0 JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
CVE-2026-34264 Apr 14, 2026
SAP S/4HANA HCM Auth Check Bypass reveals sensitive data During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.
S4hana
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.