EUVD-2026-22154
GHSA-qv8q-6q9m-8ch9
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.
AnalysisAI
SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify and inventory all SAP BW and BPC systems running affected versions (750-758, BPC4HANA 300, HANABPC 810/816) and document current user access levels; enable enhanced database query logging and SQL statement auditing. Within 7 days: Restrict database access for non-administrative SAP application accounts using principle-of-least-privilege; review and revoke unnecessary authenticated database permissions per SAP security note 3719353; document all compensating controls implemented. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today