Skip to main content

SAP

Vendor security scorecard – 94 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 183
94
CVEs
12
Critical
10
High
0
KEV
0
PoC
20
Unpatched C/H
4.3%
Patch Rate
0.1%
Avg EPSS

Severity Breakdown

CRITICAL
12
HIGH
10
MEDIUM
64
LOW
8

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2026-44747 Memory corruption in SAP NetWeaver Application Server ABAP lets an authenticated attacker exploit logical flaws in memory management (an out-of-bounds write) to read or alter data and crash the system, with high impact on confidentiality, integrity, and availability. SAP rates it CVSS 9.9 with a changed scope, meaning a low-privileged user can affect components beyond their own authorization boundary. There is no public exploit identified at time of analysis, but the low attack complexity and network reachability make it a high-priority patch for any exposed ABAP stack. CRITICAL 9.9 0.4% 50
No patch
CVE-2026-27681 SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance. CRITICAL 9.9 0.0% 50
No patch
CVE-2026-0488 Unauthorized code execution in SAP CRM and SAP S/4HANA Scripting Editor. Authenticated attacker exploits generic function module call to execute unauthorized ABAP code. CVSS 9.9. CRITICAL 9.9 0.0% 50
No patch
CVE-2026-44748 Signed XML message tampering in SAP NetWeaver Application Server ABAP and ABAP Platform allows authenticated low-privileged attackers to forge identity information by capturing a valid signed message and submitting modified signed XML documents that the verifier accepts. The scope-changing flaw (CVSS 9.9) enables unauthorized access to sensitive user data and disruption of normal operations across trust boundaries. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. CRITICAL 9.9 0.0% 50
No patch
CVE-2026-27671 Unauthenticated remote memory corruption in the SAP Kernel of SAP NetWeaver Application Server ABAP and ABAP Platform allows attackers to compromise confidentiality, integrity, and availability by sending crafted RFC requests that trigger logical errors in memory management. The CVSS 9.8 score reflects network-reachable, no-privileges, no-interaction exploitation against a foundational SAP component, though no public exploit identified at time of analysis and exploitation status beyond the vendor disclosure is not confirmed in CISA KEV. CRITICAL 9.8 0.0% 49
No patch
CVE-2026-34263 Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064. CRITICAL 9.6 0.0% 48
No patch
CVE-2026-0509 Unauthorized Remote Function Call execution in SAP NetWeaver ABAP. Low-privileged users can execute background RFCs without proper authorization checks. CVSS 9.6. CRITICAL 9.6 0.0% 48
No patch
CVE-2026-34260 SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications. CRITICAL 9.6 0.0% 48
No patch
CVE-2026-44761 Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). No public exploit identified at time of analysis, but the credentials are publicly documented, making exploitation trivial wherever the sample configuration was never removed. CRITICAL 9.1 0.4% 46
No patch
CVE-2026-27685 SAP NetWeaver Enterprise Portal Administration has an insecure deserialization vulnerability allowing privileged users to execute code through uploaded files. CRITICAL 9.1 0.0% 46
No patch
CVE-2026-27690 Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. CRITICAL 9.1 0.5% 46
CVE-2026-40128 Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manipulate file inclusion parameters within crafted HTTP logon requests, leading to inclusion and processing of arbitrary local files. Successful exploitation can expose or modify sensitive data and render portions of the server unavailable, with no public exploit identified at time of analysis but a CVSS of 9.0 reflecting full CIA impact with scope change. CRITICAL 9.0 0.1% 45
No patch
CVE-2026-23687 Sap Basis versions up to 700 is affected by improper verification of cryptographic signature (CVSS 8.8). HIGH 8.8 0.0% 44
No patch
CVE-2026-34259 OS command injection in SAP Forecasting & Replenishment allows authenticated administrators to execute arbitrary system commands through abuse of a non-remote-enabled function, leading to complete system compromise. The vulnerability enables full read/write access to system data and potential system shutdown, though exploitation is constrained to local attack vectors and requires high-privilege administrative access (CVSS 8.2). No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available via SAP Security Patch Day. HIGH 8.2 0.0% 41
No patch
CVE-2026-44752 Reflected cross-site scripting in SAP NetWeaver Application Server Java (specifically the Configuration Wizard component) lets an unauthenticated attacker embed malicious JavaScript in crafted URLs that executes in a victim's browser when the link is opened. Because the CVSS scope is changed (S:C) and confidentiality impact is high, a successful lure can expose sensitive session information and tamper with non-sensitive data rendered in the client. No public exploit identified at time of analysis, but the 8.2 CVSS and unauthenticated, network-reachable vector make it a meaningful phishing-driven risk for exposed SAP portals. HIGH 8.2 0.3% 41
No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy