Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

SAP SE

BOS ID

-
BOSS-VENDOR-69363

Tags

-
N/A

Related Bos

-
N/A

Note

-

https://www.sap.com/index.html https://www.sap.com/about/legal/terms-of-use.html

Mapped CVEsMapped VendorsRelated AssignersReports
1898Vulnerabilities found

CVE-2026-44767
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 7.84%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:22
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Allowlist Bypass in setThemeRoot() Enables Cross-Origin CSS Injection

setThemeRoot() failed to enforce the sap-allowed-theme-origins allowlist. An attacker-controlled absolute cross-origin URL could be stored and used directly to construct a <link rel=stylesheet> element, even when no <meta name=sap-allowed-theme-origins> tag was present in the document. The same bypass was reachable via the ?sap-themeRoot URL parameter.Exploitation requires attacker-influenced input (e.g., a URL query parameter, tenant configuration, or user-supplied setting) to reach setThemeRoot(). A successful exploit allows an attacker to inject arbitrary CSS into the victim page, enabling:- UI redressing and clickjacking- Phishing overlays- Visual defacement- Limited data exfiltration via CSS attribute selectors targeting predictable DOM content

Action-Not Available
Vendor-SAP SE
Product-@ui5/webcomponents-base
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-58233
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-7.6||HIGH
EPSS-0.31% / 23.48%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:21
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach)

SAP Change and Transport System Attach Tool (ctsattach) allows an authenticated attacker to supply a specially crafted archive file which, when processed by the application�s library, can trigger insecure deserialization and lead to remote code execution (RCE) on the system. Successful exploitation requires a victim to process the malicious archive, enabling the attacker to execute the RCE and extract sensitive information and gain control over the system and its processes. This vulnerability has a high impact on confidentiality and integrity of the data, with a low impact on the availability of the system.

Action-Not Available
Vendor-SAP SE
Product-SAP Change and Transport System Attach Tool (ctsattach)
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-44771
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.78%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:21
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP S/4HANA (Draft operation)

SAP S/4HANA Draft operation does not perform necessary authorization checks for an authenticated user, a restricted user could access information within the entity resulting in escalation of privileges. This results in low impact on confidentiality, with no impact on integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4HANA (Draft operation)
CWE ID-CWE-862
Missing Authorization
CVE-2026-44770
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.42%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:21
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP S/4 HANA (Create Single Payment)

SAP Create Single Payment does not perform necessary authorization checks for an authenticated user, a restricted user could access specific entity set keys resulting in disclosure of information. This has low impact on confidentiality, with no impact on integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4 HANA (Create Single Payment)
CWE ID-CWE-862
Missing Authorization
CVE-2026-44769
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-5.5||MEDIUM
EPSS-0.20% / 9.68%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:21
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO)

SAP S/4HANA application Project Management (PPM-PRO) allows an attacker with high privileges to execute crafted database queries, exposing the backend database. This results in low impact on confidentiality, with no impact on integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4HANA Project Management (PPM-PRO)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-44768
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.1||MEDIUM
EPSS-0.17% / 6.02%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:20
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Security misconfiguration in SAP CRM (WebClient UI)

SAP CRM WebClient UI allows an attacker to inject and execute malicious scripts in the context of the application due to the absence of a Content Security Policy (CSP) configuration for certain restrictive directives. This vulnerability has a low impact on the integrity of the application. Confidentiality and availability are not impacted.

Action-Not Available
Vendor-SAP SE
Product-SAP CRM (WebClient UI)
CWE ID-CWE-15
External Control of System or Configuration Setting
CVE-2026-44761
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-9.1||CRITICAL
EPSS-0.35% / 27.50%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:20
Updated-15 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Sample Credentials in SAP Commerce Cloud

SAP Commerce Cloud could retain a sample OAuth2 client with publicly documented sample credentials originating from sample configuration provided in SAP Help Portal documentation. If left unchanged, an unauthenticated attacker could use these well-known credentials to obtain a valid access token and invoke certain APIs to read and modify data. Successful exploitation results in high impact on confidentiality and integrity, with no impact on availability.

Action-Not Available
Vendor-SAP SE
Product-SAP Commerce Cloud
CWE ID-CWE-1392
Use of Default Credentials
CVE-2026-44760
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.7||MEDIUM
EPSS-0.14% / 3.91%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:20
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on Business Server Pages)

Due to a Cross-Site Scripting (XSS) vulnerability, applications based on Business Server Pages framework in SAP NetWeaver Application Server ABAP reflects unsanitized input into the HTTP response which allows an attacker to inject and execute arbitrary JavaScript code under certain conditions. Successful exploitation could allow the attacker to steal session information, perform authenticated actions on behalf of the victim user etc. This vulnerability has low impact on confidentiality and integrity of the data and no impact on application 's availability.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server ABAP (applications based on Business Server Pages)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-44759
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.17% / 6.80%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:20
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Enterprise Portal
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-44753
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-3.7||LOW
EPSS-0.22% / 12.44%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:19
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service)

SAP HANA Database (user self service tools) allows an unauthenticated user to send specially crafted requests that produce distinguishable responses, enabling enumeration of valid user accounts and email addresses. Successful exploitation could allow the attacker to enumerate valid user accounts, resulting in low impact on confidentiality, with no impact on integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP HANA Extended Application Services classic model (User Self Service)
CWE ID-CWE-204
Observable Response Discrepancy
CVE-2026-44752
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-8.2||HIGH
EPSS-0.26% / 17.90%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:19
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard)

SAP NetWeaver Application Server Java allows an unauthenticated attacker to inject malicious JavaScript through crafted URLs. When a victim accesses such a URL, the script executes in the user's browser, allowing the attacker to access sensitive session information and modify non-sensitive data displayed in the client�s browser. This results in a high impact on confidentiality, low impact on integrity with no impact on availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server Java(Configuration Wizard)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-44747
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-9.9||CRITICAL
EPSS-0.44% / 35.56%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:19
Updated-15 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP

SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability. This has high impact on confidentiality, integrity, and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server ABAP
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-44745
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-8.1||HIGH
EPSS-0.33% / 25.29%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:18
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Redirect vulnerability in SAP Approuter

SAP Approuter does not properly validate incoming request headers during the OAuth2 login flow under certain configurations. This allows an unauthenticated remote attacker to craft a malicious link which, when clicked by a victim, could lead to unauthorized access. Successful exploitation results in a high impact to the confidentiality and integrity with no impact on the availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP Approuter
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-27690
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-9.1||CRITICAL
EPSS-0.54% / 41.74%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:17
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTTP Request Smuggling in SAP Approuter

Due to an HTTP Request Smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send a specially crafted HTTP request that leads to request-response desynchronization. This could result in the exposure of user responses and cause the system to become unavailable. This leads to a high impact on confidentiality and availability.

Action-Not Available
Vendor-SAP SE
Product-SAP Approuter
CWE ID-CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE-2026-0487
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-8.4||HIGH
EPSS-0.15% / 4.44%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 00:17
Updated-14 Jul, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DLL Hijacking vulnerability in SAProuter on Microsoft Windows

SAProuter on Microsoft Windows allows an unauthenticated attacker to load library (DLL) files from an untrusted location, allowing them to execute malicious code on the system. This could enable the attacker to hijack the DLL loading process and achieve arbitrary code execution. This has high impact on confidentiality, integrity and availability of the system.

Action-Not Available
Vendor-SAP SE
Product-SAProuter on Microsoft Windows
CWE ID-CWE-427
Uncontrolled Search Path Element
CVE-2026-44757
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.7||MEDIUM
EPSS-0.15% / 4.94%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:21
Updated-09 Jun, 2026 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in SAP Wily Introscope Enterprise Manager

SAP Wily Introscope Enterprise Manager allows an unauthenticated attacker to craft a specially crafted URL. Under certain conditions, when accessed by a victim, the injected script could execute in the user�s browser within the context of the application. This issue has a low impact on the confidentiality and integrity of the application with no impact on availability.

Action-Not Available
Vendor-SAP SE
Product-SAP Wily Introscope Enterprise Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-44755
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 1.46%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:21
Updated-09 Jun, 2026 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Email Spoofing vulnerability in SAP Business Objects Business Intelligence Platform

SAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated users, resulting in an email spoofing vulnerability.This vulnerability has a low impact on integrity and does not affect the confidentiality and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP Business Objects Business Intelligence Platform
CWE ID-CWE-346
Origin Validation Error
CVE-2026-44754
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.6||MEDIUM
EPSS-0.22% / 12.33%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:21
Updated-09 Jun, 2026 | 14:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing caller identification check-in for ODP Data Replication APIs

The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.

Action-Not Available
Vendor-SAP SE
Product-ODP Data Replication APIs
CWE ID-CWE-862
Missing Authorization
CVE-2026-44751
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-7.1||HIGH
EPSS-0.21% / 10.79%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:21
Updated-10 Jun, 2026 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform

Application server ABAP does not perform necessary authorization checks for an authenticated user allowing an attacker to execute a report generation command which could overwrite information belonging to another user, resulting in escalation of privileges. This has high impact on integrity with low impact on availability and no impact on confidentiality of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver AS ABAP and ABAP Platform
CWE ID-CWE-862
Missing Authorization
CVE-2026-44750
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.71%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:21
Updated-10 Jun, 2026 | 13:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP MDG (Review Match Groups Application)

SAP MDG (Review Match Groups Application) does not perform the necessary authorization checks for authenticated users. This could allow a low-privileged user to perform actions that would otherwise be restricted, resulting in escalation of privileges. This has a low impact on integrity, while confidentiality and availability are not impacted.

Action-Not Available
Vendor-SAP SE
Product-SAP MDG (Review Match Groups Application)
CWE ID-CWE-862
Missing Authorization
CVE-2026-44748
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-9.9||CRITICAL
EPSS-0.23% / 13.97%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:20
Updated-09 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage. This causes a high impact on confidentiality, integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver AS ABAP and ABAP Platform
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2026-44746
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 9.87%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:20
Updated-09 Jun, 2026 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (JDBC Test Servlet)

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver JAVA (JDBC Test Servlet), an unauthenticated attacker could craft a URL that embeds a malicious script. If a victim clicks this link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim's browser. This could allow the attacker to access and/or modify information related to the webclient, impacting the confidentiality and integrity of the application, with no impact to availability.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver AS Java (JDBC Test Servlet)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-44744
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.22% / 12.96%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:20
Updated-09 Jun, 2026 | 13:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection vulnerability in SAP S/4HANA

SAP S/4HANA(On-Premise) contains SQL injection vulnerability in a remote-enabled function module component that could be exploited by an authenticated attacker to potentially execute unauthorized database queries.This flaw exposes sensitive information to which they should not otherwise have access to. The vulnerability has a high impact on the confidentiality of the data with no impact on the integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4HANA
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-44743
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-3.7||LOW
EPSS-0.19% / 8.61%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:20
Updated-09 Jun, 2026 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Security Misconfiguration vulnerability in SAP Business Objects

Under certain conditions, when an unauthorized attacker accesses a specific endpoint, SAP Business Objects application leaks sensitive information .This has a low impact on the confidentiality of the data. There is no impact on integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP Business Objects
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2026-40128
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-9||CRITICAL
EPSS-0.45% / 36.66%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:20
Updated-10 Jun, 2026 | 03:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)

SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server Java (Web Container)
CWE ID-CWE-35
Path Traversal: '.../...//'
CVE-2026-27671
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-9.8||CRITICAL
EPSS-0.44% / 35.39%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:20
Updated-09 Jun, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform

Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high impact on the confidentiality, integrity, and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver AS ABAP and ABAP Platform
CWE ID-CWE-121
Stack-based Buffer Overflow
CVE-2026-24315
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.2||MEDIUM
EPSS-0.17% / 7.05%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 00:19
Updated-09 Jun, 2026 | 13:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal Vulnerability in SAP Fiori (launchpad)

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted.

Action-Not Available
Vendor-SAP SE
Product-SAP Fiori (launchpad)
CWE ID-CWE-35
Path Traversal: '.../...//'
CVE-2026-44749
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.27%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 17:24
Updated-26 May, 2026 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure vulnerability in SAP Gateway

The SAP Gateway allows attackers to inject content into error messages, potentially leading to disclosure of request artefacts (e.g., regex patterns) and revealing underlying URI parsing logic. Leading to low impact on confidentiality. Integrity and availability are unaffected.

Action-Not Available
Vendor-SAP SE
Product-SAP Gateway
CWE ID-CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVE-2026-27680
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-3.1||LOW
EPSS-0.17% / 6.96%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 18:33
Updated-03 Jun, 2026 | 19:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CSS Injection vulnerability in SAP NetWeaver Application Server ABAP

Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application. When a user accesses or clicks the affected page, the injected CSS is executed. As a result, the issue has a low impact on confidentiality, while integrity and availability are not impacted.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server ABAP
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2026-40137
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 11.33%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:23
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)

SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.

Action-Not Available
Vendor-SAP SE
Product-Business Server Pages Application (TAF_APPLAUNCHER)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-40136
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 20.96%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:21
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Denial of service (DoS) in SAP Financial Consolidation

SAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access. However, the application itself cannot be compromised resulting in a low impact on availability. There is no impact on confidentiality and integrity of the data

Action-Not Available
Vendor-SAP SE
Product-SAP Financial Consolidation
CWE ID-CWE-404
Improper Resource Shutdown or Release
CVE-2026-40135
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-1.40% / 69.41%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:21
Updated-03 Jun, 2026 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server for ABAP and ABAP Platform
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2026-40134
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 9.75%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:21
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization Check in SAP Incentive and Commission Management

Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP Incentive and Commission Management
CWE ID-CWE-862
Missing Authorization
CVE-2026-40133
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.3||MEDIUM
EPSS-0.22% / 11.96%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:21
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP S/4HANA Condition Maintenance

Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of the data. Additionally, this vulnerability may prevent the legitimate user from accessing the records, causing low impact on application availability.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4HANA Condition Maintenance
CWE ID-CWE-862
Missing Authorization
CVE-2026-40132
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.19% / 8.74%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:21
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard)

Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the application�s availability.

Action-Not Available
Vendor-SAP SE
Product-SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard)
CWE ID-CWE-862
Missing Authorization
CVE-2026-40131
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-3.4||LOW
EPSS-0.17% / 6.94%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:20
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library

SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.

Action-Not Available
Vendor-SAP SE
Product-SAP HANA Deployment Infrastructure (HDI) deploy library
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-40129
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 16.94%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:20
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform

Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.

Action-Not Available
Vendor-SAP SE
Product-SAP Application Server ABAP for SAP NetWeaver and ABAP Platform
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-34263
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-9.6||CRITICAL
EPSS-0.61% / 45.21%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:20
Updated-15 May, 2026 | 12:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing authentication check in SAP Commerce cloud configuration

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP Commerce cloud configuration
CWE ID-CWE-459
Incomplete Cleanup
CVE-2026-34260
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-9.6||CRITICAL
EPSS-0.47% / 37.42%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:20
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

Action-Not Available
Vendor-SAP SE
Product-SAP S/4HANA (SAP Enterprise Search for ABAP)
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-34259
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-8.2||HIGH
EPSS-0.20% / 9.89%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:20
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OS Command Injection Vulnerability in SAP Forecasting & Replenishment

Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.

Action-Not Available
Vendor-SAP SE
Product-SAP Forecasting & Replenishment
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2026-34258
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.7||MEDIUM
EPSS-0.25% / 16.24%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:19
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Content Spoofing vulnerability in SAPUI5 (Search UI)

SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content. Successful exploitation may mislead victim users into clicking and accessing attacker-controlled pages rendered by the application. This vulnerability has a low impact on confidentiality with no effect on the integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAPUI5 (Search UI)
CWE ID-CWE-451
User Interface (UI) Misrepresentation of Critical Information
CVE-2026-27682
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.7||MEDIUM
EPSS-0.22% / 12.92%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:19
Updated-03 Jun, 2026 | 19:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)

Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim�s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-0502
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 2.25%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 02:19
Updated-12 May, 2026 | 14:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross Site Request Forgery (CSRF) in SAP BusinessObjects Business Intelligence Platform

Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server. This has low impact on integrity and availability of the application. There is no impact on confidentiality of the data.

Action-Not Available
Vendor-SAP SE
Product-SAP BusinessObjects Business Intelligence Platform
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-34264
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 18.68%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:09
Updated-04 May, 2026 | 14:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA

During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.

Action-Not Available
Vendor-SAP SE
Product-human_capital_managements\/4hanaSAP Human Capital Management for SAP S/4HANA
CWE ID-CWE-204
Observable Response Discrepancy
CVE-2026-34262
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-5||MEDIUM
EPSS-0.30% / 22.38%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:09
Updated-04 May, 2026 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer

Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer

Action-Not Available
Vendor-SAP SE
Product-hana_database_explorerhana_cockpitSAP HANA Cockpit and HANA Database Explorer
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2026-34261
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.5||MEDIUM
EPSS-0.21% / 11.62%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:08
Updated-17 Apr, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP Business Analytics and SAP Content Management

Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.

Action-Not Available
Vendor-SAP SE
Product-SAP Business Analytics and SAP Content Management
CWE ID-CWE-862
Missing Authorization
CVE-2026-34257
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 5.04%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:08
Updated-03 Jun, 2026 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open Redirect vulnerability in SAP NetWeaver Application Server ABAP

Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability.

Action-Not Available
Vendor-SAP SE
Product-netweaver_application_server_abapSAP NetWeaver Application Server ABAP
CWE ID-CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CVE-2026-34256
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-7.1||HIGH
EPSS-0.22% / 12.64%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:08
Updated-17 Apr, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.

Action-Not Available
Vendor-SAP SE
Product-SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)
CWE ID-CWE-862
Missing Authorization
CVE-2026-27683
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-4.1||MEDIUM
EPSS-0.18% / 8.22%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:08
Updated-17 Apr, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.

Action-Not Available
Vendor-SAP SE
Product-SAP BusinessObjects Business Intelligence Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-27681
Assigner-SAP SE
ShareView Details
Assigner-SAP SE
CVSS Score-9.9||CRITICAL
EPSS-0.50% / 39.56%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:08
Updated-17 Apr, 2026 | 15:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.

Action-Not Available
Vendor-SAP SE
Product-SAP Business Planning and Consolidation and SAP Business Warehouse
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 37
  • 38
  • Next