42
CVEs
4
Critical
2
High
0
KEV
0
PoC
6
Unpatched C/H
0.0%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
4
HIGH
2
MEDIUM
32
LOW
4
Monthly CVE Trend
Affected Products (30)
Java
21
Sap Basis
13
Open Redirect
9
Businessobjects Business Intelligence Platform
8
Windows
7
Supplier Relationship Management
7
Business Connector
5
Netweaver
5
Solution Tools Plug In
3
Netweaver Application Server Abap
2
Commerce Cloud
2
Docker
2
Industrial
2
PostgreSQL
2
Lt Replication Server
1
Marketing
1
Hana Database
1
Application Interface Framework
1
Netweaver Application Server Java
1
Netweaver As Abap Kernel
1
Netweaver As Abap Krnl64nuc
1
Netweaver As Abap Krnl64uc
1
Node.js
1
Gui Connector
1
OpenSSL
1
Business One
1
S 4Hana Finance
1
S4core
1
Businessobjects Enterprise
1
Businessobjects Business Intelligence
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-27681 | SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance. | CRITICAL | 9.9 | 0.0% | 50 |
No patch
|
| CVE-2026-34263 | Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-34260 | SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-27685 | SAP NetWeaver Enterprise Portal Administration has an insecure deserialization vulnerability allowing privileged users to execute code through uploaded files. | CRITICAL | 9.1 | 0.0% | 46 |
No patch
|
| CVE-2026-34259 | OS command injection in SAP Forecasting & Replenishment allows authenticated administrators to execute arbitrary system commands through abuse of a non-remote-enabled function, leading to complete system compromise. The vulnerability enables full read/write access to system data and potential system shutdown, though exploitation is constrained to local attack vectors and requires high-privilege administrative access (CVSS 8.2). No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available via SAP Security Patch Day. | HIGH | 8.2 | 0.0% | 41 |
No patch
|
| CVE-2026-34256 | Authenticated remote attackers can overwrite eight-character executable ABAP reports in SAP ERP and SAP S/4HANA systems due to missing authorization checks, enabling denial-of-service conditions when legitimate users execute corrupted reports. This authorization bypass (CWE-862) requires low-privilege authenticated access (CVSS PR:L) and has low attack complexity, combining limited integrity impact with high availability impact (CVSS 7.1). EPSS data not provided; no public exploit identified at time of analysis. Affects SAP ERP and SAP S/4HANA Private Cloud and On-Premise deployments. | HIGH | 7.1 | 0.0% | 36 |
No patch
|
| CVE-2026-40135 | OS command injection in SAP NetWeaver Application Server for ABAP and ABAP Platform allows authenticated administrators to execute arbitrary shell commands on the server while bypassing audit logging. The vulnerability affects integrity and availability but not confidentiality, and requires high-privilege administrative access over the network with no user interaction. CVSS 6.5 reflects the high-privilege requirement despite severe impact potential. | MEDIUM | 6.5 | 0.2% | 33 |
No patch
|
| CVE-2026-34264 | SAP Human Capital Management for SAP S/4HANA allows authenticated users with low privileges to enumerate and guess sensitive information through specific authorization check messages, resulting in information disclosure beyond their authorized scope. The vulnerability affects SAP HCM across affected versions and requires low-privilege authenticated access to exploit, with a CVSS score of 6.5 reflecting high confidentiality impact but no integrity or availability compromise. | MEDIUM | 6.5 | 0.0% | 33 |
No patch
|
| CVE-2026-27677 | SAP S/4HANA OData Service for Manage Reference Equipment lacks authorization checks, allowing authenticated users to modify and delete child entities without proper access controls. The vulnerability affects S/4HANA instances with the vulnerable OData service and requires low-privilege network access, resulting in high integrity impact but no confidentiality or availability risk. No public exploit code or active exploitation has been confirmed. | MEDIUM | 6.5 | 0.0% | 33 |
No patch
|
| CVE-2026-27678 | SAP S/4HANA backend OData Service for Manage Reference Structures allows authenticated remote attackers to modify and delete child entities without proper authorization checks, compromising data integrity across reference data structures. The vulnerability requires valid user credentials but no elevated privileges, affecting organizations running vulnerable S/4HANA versions. CVSS 6.5 with confirmed patch availability via SAP Security Patch Day. | MEDIUM | 6.5 | 0.0% | 33 |
No patch
|
| CVE-2026-27679 | SAP S/4HANA frontend OData Service (Manage Reference Structures) allows authenticated users to update and delete child entities without proper authorization checks, enabling privilege escalation and data integrity violations. The vulnerability requires valid user credentials but no special privileges, affecting systems running vulnerable S/4HANA versions. Attackers can exploit exposed OData endpoints to modify or remove reference structure data that should be protected from their access level. | MEDIUM | 6.5 | 0.0% | 33 |
No patch
|
| CVE-2026-34261 | Missing authorization checks in SAP Business Analytics and SAP Content Management allow authenticated users to invoke unauthorized remote function module calls, enabling confidential data access beyond their assigned permissions. The vulnerability affects all versions of the product and carries a CVSS score of 6.5 with confirmed high confidentiality impact. No public exploit code or active exploitation has been reported at time of analysis. | MEDIUM | 6.5 | 0.0% | 33 |
No patch
|
| CVE-2026-24309 | Missing authorization controls in SAP NetWeaver Application Server for ABAP allow authenticated attackers to invoke specific function modules that manipulate the database configuration table, potentially degrading system performance or causing service interruptions. This authorization bypass affects both system integrity and availability, though it requires valid credentials and no patch is currently available. | MEDIUM | 6.4 | 0.0% | 32 |
No patch
|
| CVE-2026-27684 | SQL injection in SAP NetWeaver Feedback Notifications Service enables authenticated attackers to execute arbitrary database queries by exploiting insufficient input validation. An attacker can manipulate SQL WHERE clauses to access or exfiltrate sensitive database information, with limited impact on system confidentiality and availability. No patch is currently available for this vulnerability. | MEDIUM | 6.4 | 0.0% | 32 |
No patch
|
| CVE-2026-24316 | SAP NetWeaver Application Server for ABAP contains a server-side request forgery vulnerability in a built-in ABAP testing report that allows authenticated attackers to send HTTP requests to arbitrary internal or external endpoints. Successful exploitation could enable reconnaissance of sensitive internal systems and potential data exfiltration, though availability is not impacted. Currently, no patch is available for this vulnerability. | MEDIUM | 6.4 | 0.0% | 32 |
No patch
|