SAP S4hana

Authenticated Info Disclosure in SAP S/4HANA Payment Media
CVE-2026-24314 4.3 - Medium - February 24, 2026

Under certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which would otherwise be restricted. This could cause low impact on confidentiality of the application while integrity and availability are not impacted.

Exposure of Sensitive System Information to an Unauthorized Control Sphere

SAP S/4HANA DefSec: Missing Auth in Disconnected Ops Enables FM Table Update
CVE-2026-24326 4.3 - Medium - February 10, 2026

Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application.

AuthZ

SAP S/4HANA & CRM Scripting Editor Arbitrary SQL Injection
CVE-2026-0488 9.9 - Critical - February 10, 2026

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

AuthZ

SAP ECC/S4HANA: Missing Auth Bypass Expose Hardcoded Creds (CVE-2026-0503)
CVE-2026-0503 6.4 - Medium - January 13, 2026

Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability.

AuthZ

SAP S/4HANA Private Cloud/On-Prem SQL Injection in FGL
CVE-2026-0501 9.9 - Critical - January 13, 2026

Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application.

SQL Injection

SAP S/4HANA RFC Code Injection Backdoor
CVE-2026-0498 9.1 - Critical - January 13, 2026

SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

Code Injection

Missing Auth in SAP S/4 HANA Private Cloud - Cross-Company Data Leak
CVE-2025-42876 7.1 - High - December 09, 2025

Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all company codes. Successful exploitation could result in a high impact to confidentiality and a low impact to integrity, while availability remains unaffected.

Amplification

SAP E-Recruiting BSP URL Redirection (CWE-601) in S/4HANA
CVE-2025-42924 6.1 - Medium - November 11, 2025

SAP S/4HANA landscape SAP E-Recruiting BSP allows an unauthenticated attacker to craft malicious links, when clicked the victim could be redirected to the page controlled by the attacker. This has low impact on confidentiality and integrity of the application with no impact on availability.

Open Redirect

SAP S/4HANA: Auth Bypass Deleting Shared Bank Statement Rules
CVE-2025-42939 4.3 - Medium - October 14, 2025

SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability.

AuthZ

SAP S/4HANA CRLF Injection in Supplier Invoice
CVE-2025-42934 4.3 - Medium - August 12, 2025

SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has a low impact on the application's integrity and no impact on confidentiality or availability.

HTTP Response Splitting

SAP S/4HANA RFC ABAP Injection
CVE-2025-42957 9.9 - Critical - August 12, 2025

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

Code Injection

SAP S/4HANA / SCM RCE via Characteristic Propagation
CVE-2025-42967 9.9 - Critical - July 08, 2025

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

Code Injection

SAP S/4HANA RFC Function Module ABAP Injection Backdoor
CVE-2025-27429 9.9 - Critical - April 08, 2025

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

Code Injection

SAP S/4HANA Manage Privilege Escalation via Missing Auth Checks
CVE-2023-42473 5.4 - Medium - October 10, 2023

S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application.

AuthZ

Statutory Reporting App: Local File Read via Unsecured Storage
CVE-2023-42475 4.3 - Medium - October 10, 2023

The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality.

Generation of Error Message Containing Sensitive Information

SAP S/4HANA Create Single Payment XML Upload DoS via Entity Loop
CVE-2023-41369 4.3 - Medium - September 12, 2023

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.

XXE

SAP S/4HANA Fiori URL Redir Vulnerability (CVE-2023-40306)
CVE-2023-40306 6.1 - Medium - September 08, 2023

SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a malicious site due to insufficient URL validation. As a result, it may have a slight impact on confidentiality and integrity.

Open Redirect

CVE-2023-24524 SAP S/4HANA Map Treasury Format Auth Escalation
CVE-2023-24524 6.5 - Medium - February 14, 2023

SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability.

AuthZ

Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101
CVE-2022-32248 5.3 - Medium - July 12, 2022

Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data.

Improper Input Validation

Within SAP S/4HANA - versions S4CORE 101
CVE-2022-31597 5.4 - Medium - July 12, 2022

Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.

AuthZ

Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data
CVE-2022-31589 6.5 - Medium - June 14, 2022

Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted.

S/4HANA Supplier Factsheet exposes the private address and bank details of an Employee Business Partner with Supplier Role, AND Enterprise Search for Customer, Supplier and Business Partner objects exposes the private address fields of Employee Business Partners, to an actor
CVE-2022-22542 6.5 - Medium - February 09, 2022

S/4HANA Supplier Factsheet exposes the private address and bank details of an Employee Business Partner with Supplier Role, AND Enterprise Search for Customer, Supplier and Business Partner objects exposes the private address fields of Employee Business Partners, to an actor that is not explicitly authorized to have access to that information, which could compromise Confidentiality.

Information Disclosure

The F0743 Create Single Payment application of SAP S/4HANA - versions 100
CVE-2022-22530 8.1 - High - January 14, 2022

The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application.

The F0743 Create Single Payment application of SAP S/4HANA - versions 100
CVE-2022-22531 8.1 - High - January 14, 2022

The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.

Due to improper input sanitization, an authenticated user with certain specific privileges
CVE-2021-38176 8.8 - High - September 14, 2021

Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.

SQL Injection

SAP ERP and SAP S/4 HANA
CVE-2020-6316 - November 10, 2020

SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check.

Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (versions 618, 730, EAPPLGLO 607) and S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user
CVE-2020-6212 - April 24, 2020

Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (versions 618, 730, EAPPLGLO 607) and S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user, allowing reading or modification of some tax reports, due to Missing Authorization Check.

SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports
CVE-2020-6214 - April 14, 2020

SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Although the affected reports are protected with other authorization objects, exploitation of the vulnerability would allow an authenticated attacker to view, change, or delete data, thereby preventing the proper segregation of duties in the system.

AuthZ

Under certain conditions
CVE-2020-6184 - February 12, 2020

Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability.

Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54)
CVE-2020-6185 - February 12, 2020

Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability.