SAP Netweaver Application Server Abap

Missing Auth Check in SAP NetWeaver AS ABAP Allows Log Access
CVE-2026-27688 5 - Medium - March 10, 2026

Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially escalate their privileges and read the sensitive data, resulting in a limited impact on the confidentiality of the information stored. However, the integrity and availability of the system are not affected.

AuthZ

SAP NetWeaver AS for ABAP SSRF via ABAP Report
CVE-2026-24316 6.4 - Medium - March 10, 2026

SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerable to Server-Side Request Forgery (SSRF). Successful exploitation could lead to interaction with potentially sensitive internal endpoints, resulting in a low impact on data confidentiality and integrity. There is no impact on availability of the application.

SSRF

SAP NetWeaver AS ABAP: Auth Bypass Allows Sensitive DB Read (CVE-2026-24310)
CVE-2026-24310 3.5 - Low - March 10, 2026

Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database catalog of the ABAP system. This vulnerability has low impact on the application's confidentiality with no effect on the integrity and availability.

AuthZ

SAP NetWeaver AppSrv ABAP: Auth Bypass Allows DB Config Mod
CVE-2026-24309 6.4 - Medium - March 10, 2026

Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced system performance or interruptions. The vulnerability has low impact on the application's integrity and availability, with no effect on confidentiality.

AuthZ

SAP NetWeaver App Server ABAP Remote Function Call Auth ByPass
CVE-2026-0509 9.6 - Critical - February 10, 2026

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no impact on the confidentiality of the application.

AuthZ

Auth Bypass in SAP NetWeaver ABAP Tx Code Enables Data Tampering
CVE-2026-0484 6.5 - Medium - February 10, 2026

Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. This vulnerability has a high impact on integrity of the application with no effect on the confidentiality and availability.

Open Redirect

SAP ABAP Missing Auth Check: RFC Enables FORM Exec (CVE-2026-0506)
CVE-2026-0506 8.1 - High - January 13, 2026

Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.

AuthZ

SAP NetWeaver AA: DX Workbench Skips Malware Scan on Admin Upload
CVE-2025-42883 2.7 - Low - November 11, 2025

Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application.

Unrestricted File Upload

SAP NetWeaver ABAP Auth Bypass in Function Module Retrieval
CVE-2025-42882 4.3 - Medium - November 11, 2025

Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the system. This disclosure of environment details of the system could further assist this attacker to plan subsequent attacks. As a result, this vulnerability has a low impact on confidentiality, with no impact on the integrity or availability of the application.

AuthZ

SAP NetWeaver AS ABAP CSRF via Session Mgr Bypassing Auth
CVE-2025-42908 5.4 - Medium - October 14, 2025

Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality. There is no impact to availability from this vulnerability.

Session Riding

SAP NetWeaver BIC Document XSS via crafted URL
CVE-2025-42975 6.1 - Medium - August 12, 2025

SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a URL link which, when accessed on the BIC Document application, embeds a malicious script. When a victim clicks on this link, the script executes in the victim's browser, allowing the attacker to access and/or modify information related to the web client without affecting availability.

XSS

SAP NetWeaver ABAP HTML Injection (CWE-79)
CVE-2025-42945 6.1 - Medium - August 12, 2025

SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability.

Code Injection

SAP NetWeaver App Server ABAP XSS Vulnerability
CVE-2025-42942 6.1 - Medium - August 12, 2025

SAP NetWeaver Application Server for ABAP has cross-site scripting vulnerability. Due to this, an unauthenticated attacker could craft a URL embedded with malicious script and trick an unauthenticated victim to click on it to execute the script. Upon successful exploitation, the attacker could access and modify limited information within the scope of victim's browser. This vulnerability has no impact on availability of the application.

XSS

Privilege Escalation via Unrestricted Authorization in SAP NetWeaver AS ABAP
CVE-2025-42936 5.4 - Medium - August 12, 2025

The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability.

Incorrect Privilege Assignment

SAP NetWeaver ICM Log File Information Disclosure
CVE-2025-42935 4.1 - Medium - August 12, 2025

The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the confidentiality of the application, with no impact on integrity or availability.

Insertion of Sensitive Information into Log File

Open Redirect in SAP NetWeaver ABAP Enables Malicious Script Execution
CVE-2025-42981 6.1 - Medium - July 08, 2025

Due to an open redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft a URL link embedding a malicious script at a location not properly sanitized. When a victim clicks on this link, the script executes within the victim's browser, redirecting them to a site controlled by the attacker. This allows the attacker to access and/or modify restricted information related to the web client. While the vulnerability poses no impact on data availability, it presents a considerable risk to confidentiality and integrity.

Open Redirect

Unauthenticated XSS via Crafted URL in SAP NetWeaver ABAP
CVE-2025-42969 6.1 - Medium - July 08, 2025

SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject a malicious script into a dynamically crafted URL. The victim, when tricked into clicking on this crafted URL unknowingly executes the malicious payload in their browser. On successful exploitation, the attacker can access or modify sensitive information within the scope of victim's web browser, with no impact on availability of the application.

XSS

SAP NetWeaver System Config Auth Bypass Escalates Privileges
CVE-2025-42953 8.1 - High - July 08, 2025

SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.

AuthZ

SAP NetWeaver App Server ABAP Stored XSS via Insufficient Input Encoding
CVE-2025-26653 4.7 - Medium - April 08, 2025

SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page, the injected script gets executed, potentially compromising the confidentiality and integrity within the scope of the victim?s browser. Availability is not impacted.

XSS

SAP NetWeaver ABAP RFC Credential Disclosure CVE-2025-23186
CVE-2025-23186 8.5 - High - April 08, 2025

In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.

Code Injection

SAP NetWeaver AS ABAP Auth Bypass Privilege Escalation
CVE-2025-0070 - January 14, 2025

SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability.

authentification

SAP NetWeaver ABAP Auth Bypass via Obsolete Functionality
CVE-2025-0068 - January 14, 2025

An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks. Because of this, an authenticated attacker could obtain information that would otherwise be restricted. It has no impact on integrity or availability on the application.

AuthZ

SAP NetWeaver AS ABAP RFC Request Credential Exposure Vulnerability
CVE-2024-54198 - December 10, 2024

In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.

Improper Control of Dynamically-Identified Variables

SAP NetWeaver ABAP Server File Disclosure Vulnerability
CVE-2024-47593 - November 12, 2024

SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology. This will not compromise the application's integrity or availability.

SAP NetWeaver ABAP DeAuth Package Object Read Elevation
CVE-2024-41728 2.7 - Low - September 10, 2024

Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.

AuthZ

SAP NetWeaver ABAP Priv Escalation Leaks Data Over Net
CVE-2024-44114 2.7 - Low - September 10, 2024

SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.

AuthZ

Missing Auth Check in SAP NetWeaver ABAP Leads to User Info Disclosure
CVE-2024-41734 4.3 - Medium - August 13, 2024

Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.

AuthZ

SAP NetWeaver AS ABAP Unauth URL Bypass Allowlist
CVE-2024-41732 5.4 - Medium - August 13, 2024

SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls. Depending on the web applications provided by this server, the attacker might inject CSS code or links into the web application that could allow the attacker to read or modify information. There is no impact on availability of application.

SAP NetWeaver App Server ABAP: Remote Function Module Authorization Bypass
CVE-2024-37180 - July 09, 2024

Under certain conditions SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to access remote-enabled function module with no further authorization which would otherwise be restricted, the function can be used to read non-sensitive information with low impact on confidentiality of the application.

Information Disclosure

SAP NetWeaver/ABAP Platform DoS via Service Flooding
CVE-2024-33001 6.5 - Medium - June 11, 2024

SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users causing high impact on availability of the application.

SAP NetWeaver KERNEL Affected 7.53-7.94 Access Control Bypass
CVE-2024-24740 5.3 - Medium - February 13, 2024

SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.

Incorrect Permission Assignment for Critical Resource

SAP NetWeaver ABAP XSS via Improper Input Encoding
CVE-2024-21738 5.4 - Medium - January 09, 2024

SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.

XSS

Unauthenticated Data Write via SAP GUI (Windows/Java)
CVE-2023-49581 9.4 - Critical - December 12, 2023

SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.

SQL Injection

SAP NetWeaver ABAP KERNEL Unauth Data Access (v7.227.94)
CVE-2023-41366 5.3 - Medium - November 14, 2023

Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application.

SAP NetWeaver AS ABAP: JS Injection via SAP_UI/SAP_BASIS
CVE-2023-40624 5.4 - Medium - September 12, 2023

SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application.

XSS

SAP CommonCryptoLib Auth Bypass (CVE-2023-40309)
CVE-2023-40309 9.8 - Critical - September 12, 2023

SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an authenticated user, resulting in escalation of privileges. Depending on the application and the level of privileges acquired, an attacker could abuse functionality restricted to a particular user group as well as read, modify or delete restricted data.

AuthZ

SAP CommonCryptoLib MemCorruption CVE-2023-40308
CVE-2023-40308 7.5 - High - September 12, 2023

SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption error in a library which in turn causes the target component to crash making it unavailable. There is no ability to view or modify any information.

Memory Corruption

SAP NetWeaver ABAP Privilege Escalation via Missing Auth Checks
CVE-2023-37492 6.5 - Medium - August 08, 2023

SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 793, SAP_BASIS 804, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read sensitive information which can be used in a subsequent serious attack.

AuthZ

SAP NetWeaver ABAP Auth Bypass before 7.93
CVE-2023-35874 7.4 - High - July 11, 2023

SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL, 7.53, KERNEL 7.77, KERNEL 7.81, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.92, KERNEL 7.93, under some conditions, performs improper authentication checks for functionalities that require user identity. An attacker can perform malicious actions over the network, extending the scope of impact, causing a limited impact on confidentiality, integrity and availability.

Missing Authentication for Critical Function

CVE-2023-28763: SAP NetWeaver ABAP DoS via crafted request
CVE-2023-28763 6.5 - Medium - April 11, 2023

SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated as a non-administrative user to craft a request with certain parameters which can consume the server's resources sufficiently to make it unavailable over the network without any user interaction.

Reflected XSS in SAP GUI for HTML before 7.93
CVE-2023-27499 6.1 - Medium - April 11, 2023

SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could craft a malicious URL and lure the victim to click, the script supplied by the attacker will execute in the victim user's browser. The information from the victim's web browser can either be modified or read and sent to the attacker.

XSS

SAP NetWeaver ABAP DT Traversal Enables OS File Deletion
CVE-2023-27501 9.6 - Critical - March 14, 2023

SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker to exploit insufficient validation of path information provided by users, thus exploiting a directory traversal flaw in an available service to delete system files. In this attack, no data can be read but potentially critical OS files can be deleted making the system unavailable, causing significant impact on both availability and integrity

Directory traversal

Directory Traversal in SAPRSBRO Enables System File Overwrite
CVE-2023-27500 8.1 - High - March 14, 2023

An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable.

Directory traversal

DoS via Unused ErrorHandling Class in SAP NetWeaver ABAP
CVE-2023-25618 6.5 - Medium - March 14, 2023

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with certain parameters which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.

Resource Exhaustion

SAP NetWeaver AS for ABAP SSRF via improper input controls
CVE-2023-26459 7.4 - High - March 14, 2023

Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, an attacker authenticated as a non-administrative user can craft a request which will trigger the application server to send a request to an arbitrary URL which can reveal, modify or make unavailable non-sensitive information, leading to low impact on Confidentiality, Integrity and Availability.

SSRF

SAP NetWeaver DOS via crafted request in test class
CVE-2023-27270 6.5 - Medium - March 14, 2023

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in a class for test purposes in which an attacker authenticated as a non-administrative user can craft a request with certain parameters, which will consume the server's resources sufficiently to make it unavailable. There is no ability to view or modify any information.

Resource Exhaustion

SAP NetWeaver: Directory Traversal Enables OS File Overwrite
CVE-2023-27269 9.6 - Critical - March 14, 2023

SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker with non-administrative authorizations to exploit a directory traversal flaw in an available service to overwrite the system files.  In this attack, no data can be read but potentially critical OS files can be overwritten making the system unavailable.

Directory traversal

SAP NetWeaver BSP Code Exec via Unauth Injection
CVE-2023-25614 6.1 - Medium - February 14, 2023

SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application.

XSS

Unauth Session Hijack via XSS in SAP NetWeaver AS ABAP BSP
CVE-2023-24522 6.1 - Medium - February 14, 2023

Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application.

XSS

SAP NetWeaver ABAP Unauth Redirect Link Exploit
CVE-2023-23860 6.1 - Medium - February 14, 2023

SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated attacker to craft a link, which when clicked by an unsuspecting user can be used to redirect a user to a malicious site which could read or modify some sensitive information or expose the victim to a phishing attack.

Open Redirect