SAP Enterprise Application Software
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any SAP product.
RSS Feeds for SAP security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in SAP products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by SAP Sorted by Most Security Vulnerabilities since 2018
Recent SAP Security Advisories
| Advisory | Title | Published |
|---|---|---|
| 2026-06-10 | SAP Security Patch Day - June 2026 | June 10, 2026 |
| 2026-05-12 | SAP Security Patch Day - May 2026 | May 12, 2026 |
| 2026-04-14 | SAP Security Patch Day - April 2026 | April 14, 2026 |
| 2026-03-11 | SAP Security Patch Day - March 2026 | March 11, 2026 |
| 2026-02-10 | SAP Security Patch Day - February 2026 | February 10, 2026 |
| 2026-01-13 | SAP Security Patch Day - January 2026 | January 13, 2026 |
| 2025-12-09 | SAP Security Patch Day - December 2025 | December 9, 2025 |
| 2025-11-11 | SAP Security Patch Day - November 2025 | November 11, 2025 |
| 2025-10-12 | SAP Security Patch Day - October 2025 | October 12, 2025 |
| 2025-09-12 | SAP Security Patch Day - September 2025 | September 12, 2025 |
Known Exploited SAP Vulnerabilities
The following SAP vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| SAP NetWeaver Deserialization Vulnerability |
SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content. CVE-2025-42999 Exploit Probability: 10.8% |
May 15, 2025 |
| SAP NetWeaver Unrestricted File Upload Vulnerability |
SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries. CVE-2025-31324 Exploit Probability: 99.3% |
April 29, 2025 |
| SAP NetWeaver Directory Traversal Vulnerability |
SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string. CVE-2017-12637 Exploit Probability: 94.6% |
March 19, 2025 |
| SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability |
SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection. CVE-2019-0344 Exploit Probability: 7.1% |
September 30, 2024 |
| SAP Multiple Products HTTP Request Smuggling Vulnerability |
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches. CVE-2022-22536 Exploit Probability: 97.9% |
August 18, 2022 |
| SAP NetWeaver Unrestricted File Upload vulnerability |
SAP NetWeaver contains a vulnerability that allows unrestricted file upload. CVE-2021-38163 Exploit Probability: 37.1% |
June 9, 2022 |
| SAP NetWeaver SQL Injection Vulnerability |
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CVE-2016-2386 Exploit Probability: 71.1% |
June 9, 2022 |
| SAP NetWeaver Information Disclorsure Vulnerability |
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request. CVE-2016-2388 Exploit Probability: 51.6% |
June 9, 2022 |
| SAP NetWeaver AS JAVA CRM Remote Code Execution Vulnerability |
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. CVE-2018-2380 Exploit Probability: 29.2% |
November 3, 2021 |
| SAP NetWeaver AS JAVA Remote Code Execution Vulnerability |
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request. CVE-2010-5326 Exploit Probability: 17.9% |
November 3, 2021 |
| SAP NetWeaver AS JAVA XXE Vulnerability |
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909. CVE-2016-9563 Exploit Probability: 23.8% |
November 3, 2021 |
| SAP Netweaver JAVA remote unauthenticated access vulnerability |
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system. CVE-2020-6287 Exploit Probability: 94.7% |
November 3, 2021 |
| SAP Solution Manager Missing Authentication Check Complete Compromise of SMD Agents vulnerability |
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. CVE-2020-6207 Exploit Probability: 98.4% |
November 3, 2021 |
| SAP NetWeaver AS Java 7.1 - 7.5 Directory Traversal Vulnerability |
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. CVE-2016-3976 Exploit Probability: 46.6% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 6 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 7 known exploited SAP vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2026 there have been 110 vulnerabilities in SAP with an average score of 6.1 out of ten. Last year, in 2025 SAP had 206 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in SAP in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.12
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 110 | 6.11 |
| 2025 | 206 | 6.23 |
| 2024 | 106 | 6.11 |
| 2023 | 167 | 6.71 |
| 2022 | 188 | 6.70 |
| 2021 | 204 | 6.74 |
| 2020 | 207 | 7.48 |
| 2019 | 124 | 6.70 |
| 2018 | 127 | 6.94 |
It may take a day or so for new SAP vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent SAP Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-44757 | Jun 09, 2026 |
XSS in SAP Wily Introscope Enterprise ManagerSAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the users browser within the context of the application. This issue has a low impact on the confidentiality and integrity of the application with no impact on availability. |
|
| CVE-2026-44755 | Jun 09, 2026 |
SAP BusinessObjects BI Platform: Email Spoofing via Unvalidated Send ParamsSAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated users, resulting in an email spoofing vulnerability.This vulnerability has a low impact on integrity and does not affect the confidentiality and availability of the application. |
Business Objects Business Intelligence Platform
|
| CVE-2026-44754 | Jun 09, 2026 |
SAP ODP-RFC API - Caller Identification Missing Opens Data DisclosureThe Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application. |
|
| CVE-2026-44751 | Jun 09, 2026 |
SAP ABAP Report Auth Bypass => Priv EscalationApplication server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application. |
NetWeaver
|
| CVE-2026-44750 | Jun 09, 2026 |
SAP MDG Review Match Groups App Auth Bypass Enables Priv EscSAP MDG (Review Match Groups Application) does not perform the necessary authorization checks for authenticated users. This could allow a low-privileged user to perform actions that would otherwise be restricted, resulting in escalation of privileges. This has a low impact on integrity, while confidentiality and availability are not impacted. |
|
| CVE-2026-44748 | Jun 09, 2026 |
SAP NetWeaver ABAP Signed XML Tampering via Authenticated AttackSAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application. |
NetWeaver
|
| CVE-2026-44746 | Jun 09, 2026 |
XSS in SAP NetWeaver Java JDBC Test ServletDue to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver JAVA (JDBC Test Servlet), an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser. This could allow the attacker to access and/or modify information related to the webclient, impacting the confidentiality and integrity of the application, with no impact to availability. |
NetWeaver
|
| CVE-2026-44744 | Jun 09, 2026 |
SQLi in SAP S/4HANA Remote Function Module (Auth, High Conf Impact)SAP S/4HANA(On-Premise) contains SQL injection vulnerability in a remote-enabled function module component that could be exploited by an authenticated attacker to potentially execute unauthorized database queries.This flaw exposes sensitive information to which they should not otherwise have access to. The vulnerability has a high impact on the confidentiality of the data with no impact on the integrity and availability of the application. |
S4hana
|
| CVE-2026-44743 | Jun 09, 2026 |
SAP Business Objects Info Leak via Unauthorized EndpointUnder certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application. |
Businessobjects
|
| CVE-2026-40128 | Jun 09, 2026 |
Path Traversal via FileInclusion in SAP NetWeaver App Server Web ContainerSAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable. |
Netweaver Application Server Java
|
| CVE-2026-27671 | Jun 09, 2026 |
SAP NetWeaver ABAP: Kernel RFC Memory Corruption VulnerabilityDue to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application. |
NetWeaver
|
| CVE-2026-24315 | Jun 09, 2026 |
SAP Fiori Launchpad URL Manipulation Enables Credential TheftSAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted. |
Fiori Launchpad
|
| CVE-2026-44749 | May 26, 2026 |
SAP Gtw ErrMsg Injection Exposes URI Parse LogicThe SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leading to low impact on confidentiality. Integrity and availability are unaffected. |
Gateway
|
| CVE-2026-27680 | May 14, 2026 |
CVE-2026-27680: SAP NetWeaver ABAP CSS Injection (Low Conf)Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result, the issue has a low impact on confidentiality, while integrity and availability are not impacted. |
Netweaver Application Server Abap
|
| CVE-2026-40137 | May 12, 2026 |
SAP BSP TAF_APPLAUNCHER Unauth Link Redirect (XSS)SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victims browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application. |
|
| CVE-2026-40136 | May 12, 2026 |
SAP Financial Consolidation Authenticated Session TerminationSAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access. However, the application itself cannot be compromised resulting in a low impact on availability. There is no impact on confidentiality and integrity of the data |
Financial Consolidation
|
| CVE-2026-40135 | May 12, 2026 |
OS Cmd Injection in SAP NetWeaver App Server ABAPAn OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality. |
Netweaver Application Server Abap
|
| CVE-2026-40134 | May 12, 2026 |
SAP ICM Remote Function Exec Bypass Auth - Low IntegrityDue to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application. |
|
| CVE-2026-40133 | May 12, 2026 |
CVE-2026-40133: Auth Bypass in SAP S/4HANA Condition MaintenanceDue to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of the data. Additionally, this vulnerability may prevent the legitimate user from accessing the records, causing low impact on application availability. |
S4hana
|
| CVE-2026-40132 | May 12, 2026 |
SAP Strategic Enterprise Management SBSP Auth Bypass (CVE-2026-40132)Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the applications availability. |
|
| CVE-2026-40131 | May 12, 2026 |
SQLi in @sap/hdi-deploy: unauth param injection alters SELECTSQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity. |
Hana
|
| CVE-2026-40129 | May 12, 2026 |
SAP ABAP Server Code Injection Enables Arbitrary ExecDue to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system. |
NetWeaver
|
| CVE-2026-34263 | May 12, 2026 |
SAP Commerce Cloud - Spring Security Misconfig Allows Remote Code ExecutionDue to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application. |
Commerce Cloud
|
| CVE-2026-34260 | May 12, 2026 |
SAP Enterprise Search ABAP SQL InjectionSAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected. |
S4hana
|
| CVE-2026-34259 | May 12, 2026 |
OS Cmd Exec in SAP Forecasting & ReplenishmentDue to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability. |
|
| CVE-2026-34258 | May 12, 2026 |
SAPUI5 Search UI XSS via URL Parameter ManipulationSAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application. |
|
| CVE-2026-27682 | May 12, 2026 |
Reflected XSS in SAP NetWeaver ABAP via unprotected URL paramDue to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victims browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability. |
Netweaver Application Server Abap
|
| CVE-2026-0502 | May 12, 2026 |
SAP BO BIP CSRF Authenticated Request ForgeryDue to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no impact on confidentiality of the data. |
Businessobjects Business Intelligence Platform
|
| CVE-2026-34264 | Apr 14, 2026 |
SAP S/4HANA HCM Auth Check Bypass reveals sensitive dataDuring authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected. |
S4hana
|
| CVE-2026-34262 | Apr 14, 2026 |
SAP HANA Cockpit & DB Explorer Info Disclosure VulnerabilityInformation Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer |
Hana
|
| CVE-2026-34261 | Apr 14, 2026 |
SAP Business Analytics Auth Bypass via Remote Function CallsDue to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability. |
|
| CVE-2026-34257 | Apr 14, 2026 |
SAP NW AS ABAP Open Redirect VulnerabilityDue to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability. |
Netweaver Application Server Abap
|
| CVE-2026-34256 | Apr 14, 2026 |
SAP ERP/S4HANA ABAP Report Overwrite via Missing Auth CheckDue to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected. |
S4hana
|
| CVE-2026-27683 | Apr 14, 2026 |
SAP BusinessObjects XSS via URL injection low confidentiality impactSAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the users browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability. |
Businessobjects Business Intelligence Platform
|
| CVE-2026-27681 | Apr 14, 2026 |
SAP BPC & BW Bypass Auth: Authenticated User Can Execute SQL InjectionDue to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system. |
Business Warehouse
|
| CVE-2026-27679 | Apr 14, 2026 |
High-Integrity OData Auth Bypass in SAP S/4HANA FrontendDue to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted. |
S4hana
|
| CVE-2026-27678 | Apr 14, 2026 |
SAP S/4HANA OData Authz Bypass Update/Delete Child Entities without proper AuthDue to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted. |
S4hana
|
| CVE-2026-27677 | Apr 14, 2026 |
Auth Bypass: SAP S/4HANA OData Delete/Update RefEquipDue to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted. |
S4hana
|
| CVE-2026-27676 | Apr 14, 2026 |
SAP S/4HANA OData Service Auth Bypass: Delete/Update Child EntitiesDue to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted. |
S4hana
|
| CVE-2026-27675 | Apr 14, 2026 |
SAP Landscape Transformation RFC Function Module Code Injection VulnerabilitySAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted. |
|
| CVE-2026-27674 | Apr 14, 2026 |
Code Injection in SAP NetWeaver AS Java Web Dynpro (CVE-2026-27674)Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victims browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability. |
Netweaver Application Server Java
|
| CVE-2026-27673 | Apr 14, 2026 |
SAP S/4HANA OS File Deletion via Missing Auth CheckDue to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Confidentiality, Low impact on Integrity and Availability of the application. |
S4hana
|
| CVE-2026-27672 | Apr 14, 2026 |
SAP Material Master RBAC Bypass via Report ExecutionThe Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system. |
|
| CVE-2026-24318 | Apr 14, 2026 |
Insecure Session Management in SAP BO BI Platform Reuses TokensDue to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victims session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victims authenticated context. This could allow the attacker to access or modify information within the victims session scope, impacting confidentiality and integrity, while availability remains unaffected. |
Businessobjects Business Intelligence Platform
|
| CVE-2026-0512 | Apr 14, 2026 |
SAP SRM Catalog XSS via SICF Handler: Unauth CVE-2026-0512Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected. |
|
| CVE-2026-29145 | Apr 09, 2026 |
Clientcert auth ignores softfail in Apache Tomcat (11.0.18)CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. |
|
| CVE-2026-22732 | Mar 19, 2026 |
Spring Security HTTP Header Write Failure before 7.0.4When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. |
|
| CVE-2026-27689 | Mar 10, 2026 |
SAP DOS via Large Loop in Remote Function ModuleDue to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected. |
|
| CVE-2026-27688 | Mar 10, 2026 |
Missing Auth Check in SAP NetWeaver AS ABAP Allows Log AccessDue to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected. |
Netweaver Application Server Abap
|
| CVE-2026-27687 | Mar 10, 2026 |
Missing Access Control in SAP S/4HANA HCM Enables Privileged Data AccessDue to missing authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, a user with high privileges could access sensitive data belonging to another company. This vulnerability has a high impact on confidentiality and does not affect integrity and availability. |
S4hana
|