SAP Fiori Intercompany Reconciliation Email Injection via Uploaded Files
CVE-2026-0495 Published on January 13, 2026
Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.
Vulnerability Analysis
CVE-2026-0495 can be exploited with network access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
External Control of System or Configuration Setting
One or more system settings or configuration elements can be externally controlled by a user. Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.
Affected Versions
SAP_SE SAP Fiori App (Intercompany Balance Reconciliation):- Version UIAPFI70 500 is affected.
- Version 600 is affected.
- Version 700 is affected.
- Version 800 is affected.
- Version 900 is affected.
- Version 901 is affected.
- Version 902 is affected.
- Version S4CORE 102 is affected.
- Version 103 is affected.
- Version 104 is affected.
- Version 105 is affected.
- Version 106 is affected.
- Version 107 is affected.
- Version 108 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.