14
CVEs
2
Critical
1
High
0
KEV
0
PoC
3
Unpatched C/H
0.0%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
2
HIGH
1
MEDIUM
9
LOW
2
Monthly CVE Trend
Affected Products (30)
Java
21
Sap Basis
13
Open Redirect
9
Businessobjects Business Intelligence Platform
8
Windows
7
Supplier Relationship Management
7
Business Connector
5
Netweaver
5
Solution Tools Plug In
3
Netweaver Application Server Abap
2
Commerce Cloud
2
Docker
2
Industrial
2
PostgreSQL
2
Lt Replication Server
1
Marketing
1
Hana Database
1
Application Interface Framework
1
Netweaver Application Server Java
1
Netweaver As Abap Kernel
1
Netweaver As Abap Krnl64nuc
1
Netweaver As Abap Krnl64uc
1
Node.js
1
Gui Connector
1
OpenSSL
1
Business One
1
S 4Hana Finance
1
S4core
1
Businessobjects Enterprise
1
Businessobjects Business Intelligence
1
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-34263 | Arbitrary server-side code execution in SAP Commerce Cloud via unauthenticated malicious configuration upload and code injection. Attackers can remotely exploit a misconfigured Spring Security framework to upload crafted configuration files and inject code without authentication, requiring only that a user interact with malicious content (CVSS:3.1/AV:N/AC:L/PR:N/UI:R). The vulnerability affects SAP Commerce Cloud Configuration with critical impact across confidentiality, integrity, and availability. No public exploit code or CISA KEV listing identified at time of analysis, though EPSS data unavailable. Patch details available in SAP Security Note 3733064. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-34260 | SQL injection in SAP S/4HANA Enterprise Search for ABAP allows authenticated attackers to extract sensitive database information and crash the application via malicious SQL statements injected through improperly validated user input. The scope change (S:C) indicates potential lateral movement beyond the vulnerable component. SAP has released security patches (SAP Note 3724838) for this critical vulnerability with CVSS 9.6. No active exploitation confirmed at time of analysis, though the authentication bypass tag suggests potential credential bypass implications. | CRITICAL | 9.6 | 0.0% | 48 |
No patch
|
| CVE-2026-34259 | OS command injection in SAP Forecasting & Replenishment allows authenticated administrators to execute arbitrary system commands through abuse of a non-remote-enabled function, leading to complete system compromise. The vulnerability enables full read/write access to system data and potential system shutdown, though exploitation is constrained to local attack vectors and requires high-privilege administrative access (CVSS 8.2). No public exploit code or active exploitation confirmed at time of analysis, with vendor patch available via SAP Security Patch Day. | HIGH | 8.2 | 0.0% | 41 |
No patch
|
| CVE-2026-40135 | OS command injection in SAP NetWeaver Application Server for ABAP and ABAP Platform allows authenticated administrators to execute arbitrary shell commands on the server while bypassing audit logging. The vulnerability affects integrity and availability but not confidentiality, and requires high-privilege administrative access over the network with no user interaction. CVSS 6.5 reflects the high-privilege requirement despite severe impact potential. | MEDIUM | 6.5 | 0.2% | 33 |
No patch
|
| CVE-2026-40133 | Missing authorization checks in SAP S/4HANA Condition Maintenance allow authenticated attackers to view and modify condition table records they should not have access to, compromising data confidentiality and integrity while potentially denying legitimate users access to those same records. The vulnerability requires valid user credentials but affects all versions of the affected module, with CVSS 6.3 reflecting its multi-faceted impact across three security dimensions. | MEDIUM | 6.3 | 0.0% | 32 |
No patch
|
| CVE-2026-40137 | SAP Business Server Pages TAF_APPLAUNCHER contains a cross-site scripting vulnerability that allows unauthenticated attackers to craft malicious links redirecting users to attacker-controlled sites, potentially exposing or altering sensitive information. The vulnerability requires user interaction (clicking the link) and affects confidentiality and integrity with a CVSS score of 6.1. No active exploitation has been publicly confirmed at time of analysis. | MEDIUM | 6.1 | 0.0% | 31 |
No patch
|
| CVE-2026-40132 | Missing authorization checks in SAP Strategic Enterprise Management's Scorecard Wizard (Business Server Pages application) allow authenticated users to access restricted information and modify risk evaluation settings without proper authorization. An attacker with valid credentials can view confidential data and alter default configuration values, artificially reducing assessed risk levels to deceive risk assessment processes. No patch availability or active exploitation has been confirmed. | MEDIUM | 5.4 | 0.0% | 27 |
No patch
|
| CVE-2026-0502 | Cross-site request forgery (CSRF) in SAP BusinessObjects Business Intelligence Platform allows unauthenticated attackers to trick authenticated users into sending unintended requests to the web server, resulting in low-impact modifications to application integrity and availability. The vulnerability requires user interaction (clicking a malicious link) and affects all versions of the platform due to insufficient CSRF token validation. No confidentiality impact is present, limiting the attack surface to state-changing operations. | MEDIUM | 5.4 | 0.0% | 27 |
No patch
|
| CVE-2026-27682 | Reflected cross-site scripting (XSS) in SAP NetWeaver Application Server ABAP (Business Server Pages) allows unauthenticated attackers to inject malicious scripts via unprotected URL parameters. Successful exploitation requires victim interaction (clicking a crafted link) and affects confidentiality and integrity of application data. No public exploit code or active exploitation reported at time of analysis. | MEDIUM | 4.7 | 0.0% | 24 |
No patch
|
| CVE-2026-40129 | Code injection in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform allows authenticated attackers to execute arbitrary code for subscribed channel users by sending specially crafted inputs. The vulnerability has low integrity impact with no confidentiality or availability consequences. CVSS 4.3 (low severity) reflects the requirement for authenticated access, but the ability to affect other users elevates practical risk in multi-tenant environments. | MEDIUM | 4.3 | 0.0% | 22 |
No patch
|
| CVE-2026-40136 | SAP Financial Consolidation permits authenticated attackers to forcibly terminate other users' sessions, temporarily denying them access to the application. The vulnerability has limited impact, affecting only availability through session disconnection while leaving the application itself and all data integrity and confidentiality intact. CVSS score of 4.3 reflects low severity, and no public exploit code or active exploitation has been identified. | MEDIUM | 4.3 | 0.0% | 22 |
No patch
|
| CVE-2026-40134 | Insufficient authorization checks in SAP Incentive and Commission Management allow authenticated users to invoke remote-enabled function modules and perform unauthorized table update operations, compromising data integrity. The vulnerability requires valid user credentials and network access but has limited scope - no confidentiality or availability impact. CVSS 4.3 (low) reflects the authentication requirement and integrity-only impact; no active exploitation or public POC identified at analysis time. | MEDIUM | 4.3 | 0.0% | 22 |
No patch
|
| CVE-2026-40131 | SQL injection in SAP HANA Deployment Infrastructure (HDI) deploy library allows high-privileged users to manipulate dynamically constructed SQL queries, potentially altering SELECT statements and compromising confidentiality and availability. Attack requires local access and high privileges (PR:H), limiting real-world risk despite SQL injection severity. No public exploit code or active exploitation has been identified at the time of analysis. | LOW | 3.4 | 0.0% | 17 |
No patch
|
| CVE-2026-27680 | CSS injection in SAP NetWeaver Application Server ABAP allows unauthenticated remote attackers to inject malicious Cascading Style Sheets into web pages served by the application, with exploitation requiring user interaction (clicking or accessing the affected page). The injected CSS executes in the victim's browser context, resulting in low-impact confidentiality loss; integrity and availability are not affected. CVSS 3.1 reflects the limited impact and high attack complexity required. | LOW | 3.1 | 0.0% | 16 |
No patch
|