Skip to main content

SAP S/4HANA PPM-PRO EUVDEUVD-2026-43593

| CVE-2026-44769 MEDIUM
SQL Injection (CWE-89)
2026-07-14 sap GHSA-9962-7h22-692x
5.5
CVSS 3.1 · Vendor: sap
Share

Severity by source

Vendor (sap) PRIMARY
5.5 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
5.5 MEDIUM

Retaining AV:N and PR:H from vendor vector; C:H reflects database exposure potential, consistent with SQL injection root cause despite prose ambiguity.

3.1 AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (sap).

CVSS VectorVendor: sap

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 14, 2026 - 01:20 vuln.today

DescriptionCVE.org

SAP S/4HANA application Project Management (PPM-PRO) allows an attacker with high privileges to execute crafted database queries, exposing the backend database. This results in low impact on confidentiality, with no impact on integrity and availability of the application.

AnalysisAI

SQL injection in SAP S/4HANA Project Management (PPM-PRO) allows a high-privileged authenticated attacker to execute crafted database queries, exposing backend database contents. The vulnerability is reachable over the network but requires both high attack complexity and high privilege level, significantly constraining the realistic attacker pool. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with high-privilege SAP account
Delivery
Access PPM-PRO project management interface
Exploit
Submit crafted SQL-injected input to vulnerable query
Execution
Backend HANA database executes injected statement
Impact
Exfiltrate exposed database records

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold high privileges within the SAP S/4HANA environment (PR:H per CVSS vector), meaning a standard SAP user role is insufficient - administrator-level or equivalent PPM-PRO access is necessary. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate despite the high confidentiality impact (C:H) in the CVSS vector. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with high-privilege access to the SAP S/4HANA PPM-PRO module - such as a project manager or administrator role - submits a specially crafted input to a project management function that is passed unsanitized into a backend HANA database query. The injected SQL clause extracts data from the HANA database schema, potentially including project financial records, resource data, or other sensitive enterprise data stored in related tables. …
Remediation Apply the patch or correction instructions detailed in SAP Security Note 3537373 (https://me.sap.com/notes/3537373), accessible via SAP One Support Launchpad. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy