SAP Fiori
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in SAP Fiori.
By the Year
In 2026 there have been 0 vulnerabilities in SAP Fiori. Last year, in 2025 Fiori had 1 security vulnerability published. Right now, Fiori is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 4.30 |
| 2024 | 1 | 4.30 |
| 2023 | 1 | 6.50 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 6.50 |
It may take a day or so for new Fiori vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent SAP Fiori Security Vulnerabilities
SAP Fiori Posting Lib Security Misconfig Enables ACL Bypass
CVE-2025-26660
4.3 - Medium
- March 11, 2025
SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application, enabling them to potentially modify data. Confidentiality and Availability are not impacted.
Insecure Direct Object Reference / IDOR
SAP Fiori Overtime Request: AuthBYPASS Escalation via URL Tampering
CVE-2024-25643
4.3 - Medium
- February 13, 2024
The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability.
AuthZ
SAP Fiori MP Travel apps - Auth data leak via misconfigured endpoint
CVE-2023-24528
6.5 - Medium
- February 14, 2023
SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents.
AuthZ
SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application
CVE-2018-2474
6.5 - Medium
- October 09, 2018
SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server. This vulnerability is due to insufficient CSRF protection.
Session Riding
