84
CVEs
10
Critical
10
High
0
KEV
0
PoC
17
Unpatched C/H
4.8%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
10
HIGH
10
MEDIUM
57
LOW
7
Monthly CVE Trend
Affected Products (30)
Java
21
Sap Basis
13
Open Redirect
9
Businessobjects Business Intelligence Platform
8
Windows
7
Supplier Relationship Management
7
Business Connector
5
Netweaver
5
Solution Tools Plug In
3
Netweaver Application Server Abap
2
Commerce Cloud
2
Docker
2
Industrial
2
PostgreSQL
2
Lt Replication Server
1
Marketing
1
Hana Database
1
Application Interface Framework
1
Netweaver Application Server Java
1
Netweaver As Abap Kernel
1
Netweaver As Abap Krnl64nuc
1
Netweaver As Abap Krnl64uc
1
Node.js
1
Gui Connector
1
OpenSSL
1
Business One
1
S 4Hana Finance
1
S4core
1
Businessobjects Enterprise
1
Businessobjects Business Intelligence
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-0501 | SAP S/4HANA General Ledger (Private Cloud and On-Premise) has SQL injection allowing authenticated users to read, modify, and delete backend database data with scope change (CVSS 9.9). Financial data is directly at risk. | CRITICAL | 9.9 | 0.1% | 50 |
No patch
|
| CVE-2026-27681 | SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. The scope-change vector (S:C) indicates attackers can pivot beyond the vulnerable component to compromise database resources serving multiple SAP applications. Despite critical CVSS 9.9 severity, EPSS exploitation probability remains low (0.05%, 14th percentile) with CISA SSVC indicating no current exploitation and non-automatable attack profile. SAP security note 3719353 provides remediation guidance. | CRITICAL | 9.9 | 0.0% | 50 |
No patch
|
| CVE-2026-0488 | Unauthorized code execution in SAP CRM and SAP S/4HANA Scripting Editor. Authenticated attacker exploits generic function module call to execute unauthorized ABAP code. CVSS 9.9. | CRITICAL | 9.9 | 0.0% | 50 |
No patch
|
| CVE-2026-0500 | SAP Wily Introscope Enterprise Manager uses a vulnerable third-party component that allows unauthenticated attackers to create malicious JNLP files at public URLs. Victims who click these URLs execute OS commands on their machines. Scope change. Patch available. | CRITICAL | 9.6 | 0.1% | 48 |
|
| CVE-2026-34263 | Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-0509 | Unauthorized Remote Function Call execution in SAP NetWeaver ABAP. Low-privileged users can execute background RFCs without proper authorization checks. CVSS 9.6. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-34260 | SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-0498 | SAP S/4HANA (Private Cloud and On-Premise) has the same backdoor vulnerability as CVE-2026-0491 – admin-exploitable ABAP/OS command injection via RFC function module. Patch available. | CRITICAL | 9.1 | 0.1% | 46 |
|
| CVE-2026-0491 | SAP Landscape Transformation has an admin-exploitable backdoor via RFC function module that allows injection of arbitrary ABAP code and OS commands, bypassing authorization checks. Scope change enables full SAP system compromise. | CRITICAL | 9.1 | 0.1% | 46 |
No patch
|
| CVE-2026-27685 | SAP NetWeaver Enterprise Portal Administration has an insecure deserialization vulnerability allowing privileged users to execute code through uploaded files. | CRITICAL | 9.1 | 0.0% | 46 |
No patch
|
| CVE-2026-0492 | Hana Database versions up to 2.00 is affected by missing authentication for critical function (CVSS 8.8). | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-23687 | Sap Basis versions up to 700 is affected by improper verification of cryptographic signature (CVSS 8.8). | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2026-0507 | SAP Application Server for ABAP and NetWeaver RFCSDK contain an OS command injection vulnerability that allows authenticated administrators with adjacent network access to execute arbitrary system commands by uploading malicious content. Successful exploitation results in complete system compromise affecting confidentiality, integrity, and availability. No patch is currently available. | HIGH | 8.4 | 1.4% | 43 |
No patch
|
| CVE-2026-34259 | OS command injection in SAP Forecasting & Replenishment allows authenticated administrators to execute arbitrary system commands through abuse of a non-remote-enabled function, leading to complete system compromise. The vulnerability enables full read/write access to system data and potential system shutdown, though exploitation is constrained to local attack vectors and requires high-privilege administrative access (CVSS 8.2). No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available via SAP Security Patch Day. | HIGH | 8.2 | 0.0% | 41 |
No patch
|
| CVE-2026-0511 | SAP Fiori App Intercompany Balance Reconciliation fails to enforce proper authorization controls, allowing authenticated users to escalate privileges and access or modify sensitive data they should not have permission to view. An attacker with valid credentials can exploit missing access checks to compromise the confidentiality and integrity of financial reconciliation data. No patch is currently available for this vulnerability. | HIGH | 8.1 | 0.0% | 41 |
No patch
|