15
CVEs
3
Critical
3
High
0
KEV
0
PoC
4
Unpatched C/H
26.7%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
3
HIGH
3
MEDIUM
8
LOW
1
Monthly CVE Trend
Affected Products (30)
3D Visual Enterprise Viewer
128
Java
126
Netweaver
90
Netweaver Application Server Abap
72
Businessobjects Business Intelligence Platform
70
Netweaver Application Server Java
59
Businessobjects Business Intelligence
44
Hana
38
Open Redirect
34
Solution Manager
31
Business One
30
Adaptive Server Enterprise
29
3D Visual Enterprise Author
27
Internet Graphics Server
23
Netweaver Process Integration
21
Netweaver Enterprise Portal
20
Commerce Cloud
18
Netweaver Abap
18
Hana Extended Application Services
18
Businessobjects
17
Sap Basis
17
Disclosure Management
16
Business Objects Business Intelligence Platform
15
Host Agent
14
Enable Now
14
Customer Relationship Management Webclient Ui
12
Abap Platform
11
Supplier Relationship Management
11
Netweaver As Abap
11
Sap Kernel
10
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-44747 | Memory corruption in SAP NetWeaver Application Server ABAP lets an authenticated attacker exploit logical flaws in memory management (an out-of-bounds write) to read or alter data and crash the system, with high impact on confidentiality, integrity, and availability. SAP rates it CVSS 9.9 with a changed scope, meaning a low-privileged user can affect components beyond their own authorization boundary. There is no public exploit identified at time of analysis, but the low attack complexity and network reachability make it a high-priority patch for any exposed ABAP stack. | CRITICAL | 9.9 | 0.4% | 50 |
No patch
|
| CVE-2026-44761 | Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). No public exploit identified at time of analysis, but the credentials are publicly documented, making exploitation trivial wherever the sample configuration was never removed. | CRITICAL | 9.1 | 0.4% | 46 |
No patch
|
| CVE-2026-27690 | Request-response desynchronization in SAP Approuter lets an unauthenticated remote attacker send a specially crafted HTTP request that smuggles a second request past the front end, allowing exposure of other users' HTTP responses and denial of service against the application. The flaw carries a CVSS 9.1 (high confidentiality and availability impact) and was reported by SAP; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. | CRITICAL | 9.1 | 0.5% | 46 |
|
| CVE-2026-44752 | Reflected cross-site scripting in SAP NetWeaver Application Server Java (specifically the Configuration Wizard component) lets an unauthenticated attacker embed malicious JavaScript in crafted URLs that executes in a victim's browser when the link is opened. Because the CVSS scope is changed (S:C) and confidentiality impact is high, a successful lure can expose sensitive session information and tamper with non-sensitive data rendered in the client. No public exploit identified at time of analysis, but the 8.2 CVSS and unauthenticated, network-reachable vector make it a meaningful phishing-driven risk for exposed SAP portals. | HIGH | 8.2 | 0.3% | 41 |
No patch
|
| CVE-2026-44745 | Unauthorized access in SAP Approuter arises because the component fails to validate incoming request headers during the OAuth2 login flow under certain configurations (CWE-601, open redirect). An unauthenticated remote attacker who lures a victim into clicking a crafted link can hijack the authentication flow to gain high-confidentiality and high-integrity access to the application. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the network-reachable, low-complexity nature (CVSS 8.1) makes it a meaningful patch priority for SAP BTP/Cloud Foundry environments. | HIGH | 8.1 | 0.3% | 40 |
|
| CVE-2026-58233 | Insecure deserialization in the SAP Change and Transport System Attach Tool (ctsattach) lets an authenticated, low-privileged attacker achieve remote code execution by supplying a crafted archive that a victim then processes through the tool's library. Successful exploitation yields high confidentiality and integrity impact - attackers can read sensitive data and take control of the host and its processes - with low availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the CWE-502 root cause and 7.6 CVSS make this a meaningful patch priority for SAP landscapes. | HIGH | 7.6 | 0.3% | 38 |
No patch
|
| CVE-2026-44759 | Reflected cross-site scripting in SAP NetWeaver Enterprise Portal enables unauthenticated remote attackers to inject arbitrary JavaScript into URL parameters that are echoed back unencoded in server responses. When a victim with an active portal session visits a crafted URL, the injected script executes in their browser under the portal's origin, permitting session token theft, unauthorized manipulation of portal content, or forced redirection to attacker-controlled resources. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, though the unauthenticated network-accessible attack surface and low complexity make phishing-based delivery operationally straightforward. | MEDIUM | 6.1 | 0.2% | 30 |
No patch
|
| CVE-2026-44767 | CSS stylesheet injection in SAP @ui5/webcomponents-base allows unauthenticated remote attackers to load arbitrary cross-origin stylesheets into victim pages by bypassing the sap-allowed-theme-origins allowlist enforcement inside setThemeRoot(). The ?sap-themeRoot URL query parameter is a direct delivery vector, making socially-engineered exploitation trivial - no authentication is required from the attacker (CVSS PR:N), only a victim page load (UI:R). Successful exploitation enables UI redressing, clickjacking, phishing overlays, visual defacement, and limited CSS attribute-selector-based data exfiltration; no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV. | MEDIUM | 6.1 | 0.2% | 30 |
|
| CVE-2026-44769 | SQL injection in SAP S/4HANA Project Management (PPM-PRO) allows a high-privileged authenticated attacker to execute crafted database queries, exposing backend database contents. The vulnerability is reachable over the network but requires both high attack complexity and high privilege level, significantly constraining the realistic attacker pool. No public exploit or active exploitation has been identified at time of analysis, and the CVSS base score of 5.5 reflects these mitigating factors despite the potential for database exposure. | MEDIUM | 5.5 | 0.2% | 28 |
No patch
|
| CVE-2026-14852 | Privilege escalation in Checkmk's mk_sap_hana agent plugin allows a local unprivileged user to execute arbitrary commands as root by planting a process whose name mimics a SAP HANA instance. The plugin, when running as root under the RUNAS=agent configuration and lacking explicit database configuration, blindly reads the OS process list to derive SAP HANA instance identifiers and injects them unsanitized into a shell command executed with root privileges - a textbook CWE-78 OS command injection. No public exploit code or CISA KEV listing exists at time of analysis, but the attack prerequisites are achievable on any misconfigured Checkmk deployment that monitors SAP environments. | MEDIUM | 5.2 | 0.2% | 26 |
|
| CVE-2026-44760 | Reflected XSS in SAP NetWeaver Application Server ABAP's Business Server Pages (BSP) framework allows remote unauthenticated attackers to inject arbitrary JavaScript into HTTP responses when a victim user interacts with a crafted URL. Successful exploitation enables session token theft and execution of authenticated actions on behalf of the victim within the SAP web context. No public exploit code or CISA KEV listing is identified at time of analysis; CVSS AC:H indicates non-trivial conditions must align for successful delivery, moderating real-world risk despite the enterprise sensitivity of SAP environments. | MEDIUM | 4.7 | 0.1% | 24 |
No patch
|
| CVE-2026-44770 | Missing authorization in SAP S/4HANA's Create Single Payment function exposes restricted entity set keys to authenticated but low-privileged users. The flaw (CWE-862) allows a restricted user to query specific payment-related entity sets beyond their intended access scope, resulting in low-impact confidentiality leakage with no effect on data integrity or system availability. No public exploit code exists and this vulnerability is not listed in CISA KEV; EPSS data was not provided, but the CVSS 4.3 medium score and limited impact scope suggest low exploitation urgency. | MEDIUM | 4.3 | 0.2% | 22 |
No patch
|
| CVE-2026-44771 | Privilege escalation in SAP S/4HANA's Draft Operation component allows authenticated restricted users to read entity data beyond their authorized scope due to missing authorization checks. The flaw, classified under CWE-862, is exploitable over the network without elevated privileges, resulting in low confidentiality impact with no effect on integrity or availability. No public exploit code or active exploitation has been identified at time of analysis, keeping real-world risk bounded despite the network-accessible attack vector. | MEDIUM | 4.3 | 0.2% | 22 |
No patch
|
| CVE-2026-44768 | Script injection in SAP CRM WebClient UI is enabled by absent Content Security Policy (CSP) directives for certain restrictive headers, allowing an authenticated low-privileged attacker to inject malicious JavaScript that executes in a victim user's browser session. The CVSS vector (PR:L/UI:R/S:C) confirms this requires both an authenticated attacker and victim interaction, with a cross-scope impact consistent with browser-context script execution. No public exploit code or CISA KEV active exploitation listing has been identified at time of analysis, and impact is bounded to low integrity with no confidentiality or availability consequence. | MEDIUM | 4.1 | 0.2% | 20 |
No patch
|
| CVE-2026-44753 | User account enumeration in SAP HANA Extended Application Services Classic Model (XSC) user self-service tools allows unauthenticated remote attackers to identify valid usernames and email addresses by crafting requests that elicit distinguishable server responses. The CWE-204 root cause - observable response discrepancy - means the application behaves differently for valid versus invalid accounts, leaking account existence without requiring credentials. CVSS scores this at 3.7 (AV:N/AC:H) reflecting network accessibility tempered by high attack complexity; no public exploit code or CISA KEV listing has been identified at time of analysis. | LOW | 3.7 | 0.2% | 18 |
No patch
|