254
CVEs
30
Critical
40
High
3
KEV
1
PoC
61
Unpatched C/H
9.4%
Patch Rate
0.6%
Avg EPSS
Severity Breakdown
CRITICAL
30
HIGH
40
MEDIUM
164
LOW
20
Monthly CVE Trend
Affected Products (30)
Java
21
Sap Basis
13
Open Redirect
9
Businessobjects Business Intelligence Platform
8
Windows
7
Supplier Relationship Management
7
Business Connector
5
Netweaver
5
Solution Tools Plug In
3
Netweaver Application Server Abap
2
Commerce Cloud
2
Docker
2
Industrial
2
PostgreSQL
2
Lt Replication Server
1
Marketing
1
Hana Database
1
Application Interface Framework
1
Netweaver Application Server Java
1
Netweaver As Abap Kernel
1
Netweaver As Abap Krnl64nuc
1
Netweaver As Abap Krnl64uc
1
Node.js
1
Gui Connector
1
OpenSSL
1
Business One
1
S 4Hana Finance
1
S4core
1
Businessobjects Enterprise
1
Businessobjects Business Intelligence
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-31324 | SAP NetWeaver Visual Composer Metadata Uploader lacks proper authorization, allowing unauthenticated agents to upload malicious executable binaries for critical system compromise (CVSS 10.0). | CRITICAL | 10.0 | 32.2% | 132 |
KEV
No patch
|
| CVE-2010-5326 | Remote unauthenticated code execution in SAP NetWeaver Application Server Java (pre-7.3) through the Invoker Servlet allows attackers to bypass authentication and execute arbitrary code. Confirmed actively exploited (CISA KEV) from 2013 through 2016 in 'Detour' attacks targeting SAP business applications. CVSS 10.0 with EPSS 16.90% (95th percentile) indicates both maximum theoretical severity and sustained real-world exploitation. This remains a critical priority for organizations running legacy SAP NetWeaver Java instances despite the vulnerability's age. | CRITICAL | 10.0 | 16.9% | 127 |
KEV
No patch
|
| CVE-2025-42967 | SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application. | CRITICAL | 9.9 | 0.7% | 50 |
No patch
|
| CVE-2025-27429 | SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | CRITICAL | 9.9 | 0.4% | 50 |
No patch
|
| CVE-2025-31330 | SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | CRITICAL | 9.9 | 0.4% | 50 |
No patch
|
| CVE-2026-0501 | SAP S/4HANA General Ledger (Private Cloud and On-Premise) has SQL injection allowing authenticated users to read, modify, and delete backend database data with scope change (CVSS 9.9). Financial data is directly at risk. | CRITICAL | 9.9 | 0.1% | 50 |
No patch
|
| CVE-2026-27681 | SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance. | CRITICAL | 9.9 | 0.0% | 50 |
No patch
|
| CVE-2026-0488 | Unauthorized code execution in SAP CRM and SAP S/4HANA Scripting Editor. Authenticated attacker exploits generic function module call to execute unauthorized ABAP code. CVSS 9.9. | CRITICAL | 9.9 | 0.0% | 50 |
No patch
|
| CVE-2025-30016 | SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 0.5% | 49 |
No patch
|
| CVE-2026-0500 | SAP Wily Introscope Enterprise Manager uses a vulnerable third-party component that allows unauthenticated attackers to create malicious JNLP files at public URLs. Victims who click these URLs execute OS commands on their machines. Scope change. Patch available. | CRITICAL | 9.6 | 0.1% | 48 |
|
| CVE-2026-34263 | Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-0509 | Unauthorized Remote Function Call execution in SAP NetWeaver ABAP. Low-privileged users can execute background RFCs without proper authorization checks. CVSS 9.6. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-34260 | SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2025-42963 | A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment. | CRITICAL | 9.1 | 0.2% | 46 |
No patch
|
| CVE-2025-42966 | SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application. | CRITICAL | 9.1 | 0.2% | 46 |
No patch
|