Skip to main content

SAP CVE-2026-0501

CRITICAL
SQL Injection (CWE-89)
2026-01-13 cna@sap.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 13, 2026 - 02:15 nvd
CRITICAL 9.9

DescriptionCVE.org

Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application.

AnalysisAI

SAP S/4HANA General Ledger (Private Cloud and On-Premise) has SQL injection allowing authenticated users to read, modify, and delete backend database data with scope change (CVSS 9.9). Financial data is directly at risk.

Technical ContextAI

Insufficient input validation in the Financials General Ledger module (CWE-89) allows authenticated users to craft SQL queries that bypass the SAP authorization model. The scope change means the attacker can access data beyond their authorized scope.

Affected ProductsAI

SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger)

RemediationAI

Apply SAP security notes immediately. This threatens financial reporting integrity.

Share

CVE-2026-0501 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy