EUVD-2026-29371
GHSA-mr52-49cx-qrr8
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
AnalysisAI
SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all SAP S/4HANA systems running Enterprise Search for ABAP and determine current patch levels against SAP Note 3724838. Within 7 days: Apply vendor-released patches specified in SAP Note 3724838 to all affected S/4HANA instances, prioritizing production systems. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today