Skip to main content

Sap Basis

17 CVEs product

Monthly

CVE-2026-24312 MEDIUM This Month

SAP Business Workflow contains an authorization bypass that allows authenticated administrators to escalate privileges by misusing permissions from lower-sensitivity functions to perform unauthorized high-privilege operations. An attacker with admin credentials can exploit this flaw to compromise data integrity, though confidentiality and availability impacts are limited. No patch is currently available for this vulnerability.

SAP Privilege Escalation Sap Basis
NVD
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-0484 MEDIUM This Month

Sap Basis versions up to 700 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).

SAP Sap Basis
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-42918 MEDIUM PATCH Monitor

SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass SAP Sap Basis
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-42911 MEDIUM PATCH This Month

SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass SAP Sap Basis
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-42936 MEDIUM PATCH This Month

The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

SAP Privilege Escalation Sap Basis
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-42956 MEDIUM PATCH This Month

SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.

SAP XSS Sap Basis
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-42986 MEDIUM PATCH This Month

Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.

SAP Authentication Bypass Sap Basis
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-23193 MEDIUM PATCH This Month

SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SAP Information Disclosure Sap Basis
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-0066 CRITICAL PATCH This Week

Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

SAP Information Disclosure Sap Basis
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-0063 HIGH PATCH This Month

SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SAP SQLi Sap Basis
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-0058 MEDIUM PATCH This Month

In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass SAP Sap Basis
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-0053 MEDIUM PATCH This Month

SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass SAP Information Disclosure Sap Basis
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-39599 MEDIUM PATCH This Month

Due to a Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform, a developer can bypass the configured malware scanner API because of a programming error. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass SAP Sap Basis
NVD
CVSS 3.1
4.7
EPSS
0.3%
CVE-2024-37180 MEDIUM PATCH This Month

Under certain conditions SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to access remote-enabled function module with no further authorization which would otherwise be. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure SAP Sap Basis
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-34689 MEDIUM This Month

WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Information Disclosure SAP Business Workflow Sap Basis
NVD
CVSS 3.1
5.0
EPSS
0.4%
CVE-2024-34687 CRITICAL PATCH Act Now

SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.

XSS SAP Sap Basis
NVD
CVSS 3.1
9.0
EPSS
0.4%
CVE-2016-4551 HIGH This Week

The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses written to the Security Audit Log via vectors related to the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver Sap Aba Sap Basis
NVD
CVSS 3.0
7.5
EPSS
0.3%
EPSS 0% CVSS 5.2
MEDIUM This Month

SAP Business Workflow contains an authorization bypass that allows authenticated administrators to escalate privileges by misusing permissions from lower-sensitivity functions to perform unauthorized high-privilege operations. An attacker with admin credentials can exploit this flaw to compromise data integrity, though confidentiality and availability impacts are limited. No patch is currently available for this vulnerability.

SAP Privilege Escalation Sap Basis
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Sap Basis versions up to 700 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).

SAP Sap Basis
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass SAP Sap Basis
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass SAP Sap Basis
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

SAP Privilege Escalation Sap Basis
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.

SAP XSS Sap Basis
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.

SAP Authentication Bypass Sap Basis
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SAP Information Disclosure Sap Basis
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH This Week

Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Permission Assignment vulnerability could allow attackers to access resources due to misconfigured permissions.

SAP Information Disclosure Sap Basis
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Month

SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SAP SQLi Sap Basis
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass SAP Sap Basis
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass SAP Information Disclosure +1
NVD
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Due to a Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform, a developer can bypass the configured malware scanner API because of a programming error. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass SAP Sap Basis
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Under certain conditions SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to access remote-enabled function module with no further authorization which would otherwise be. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure SAP Sap Basis
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Information Disclosure SAP +2
NVD
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.

XSS SAP Sap Basis
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses written to the Security Audit Log via vectors related to the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Authentication Bypass Netweaver +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy