Search Results (1699 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-44120 1 Sap 1 Netweaver Enterprise Portal 2026-04-15 4.7 Medium
SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site scripting due to insufficient encoding of user-controlled input. An unauthenticated attacker could craft a malicious URL and trick a user to click it. If the victim clicks on this crafted URL before it times out, then the attacker could read and manipulate user content in the browser.
CVE-2025-42938 1 Sap 2 Abap Platform, Netweaver Abap 2026-04-15 6.1 Medium
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s page generation, resulting in the creation of malicious content. When executed, this content allows the attacker to access or modify information within the victim's browser scope, impacting the confidentiality and integrity�while availability remains unaffected.
CVE-2025-42883 1 Sap 5 Application Server, Netweaver, Netweaver Abap and 2 more 2026-04-15 2.7 Low
Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application.
CVE-2025-42927 1 Sap 5 Java As, Netweaver, Netweaver As Abap and 2 more 2026-04-15 3.4 Low
SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would allow user with high system privileges to access and modify system information.This vulnerability has a low impact on confidentiality and integrity, with no impact on availability.
CVE-2025-42907 2 Sap, Sap Se 2 Businessobjects Bi Platform, Sap Business Objects Business Intgelligence Platform 2026-04-15 4.3 Medium
SAP BI Platform allows an attacker to modify the IP address of the LogonToken for the OpenDoc. On accessing the modified link in the browser a different server could get the ping request. This has low impact on integrity with no impact on confidentiality and availability of the system.
CVE-2025-42937 1 Sap 1 Sapsprint 2026-04-15 9.8 Critical
SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system files causing high impact on confidentiality integrity and availability of the application.
CVE-2025-42928 1 Sap 1 Jconnect 2026-04-15 9.1 Critical
Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on confidentiality, integrity and availability of the system.
CVE-2025-42942 1 Sap 1 Netweaver Application Server For Abap 2026-04-15 6.1 Medium
SAP NetWeaver Application Server for ABAP has cross-site scripting vulnerability. Due to this, an unauthenticated attacker could craft a URL embedded with malicious script and trick an unauthenticated victim to click on it to execute the script. Upon successful exploitation, the attacker could access and modify limited information within the scope of victim's browser. This vulnerability has no impact on availability of the application.
CVE-2025-42897 1 Sap 1 Business One 2026-04-15 5.3 Medium
Due to information disclosure vulnerability in anonymous API provided by SAP Business One (SLD), an attacker with normal user access could gain access to unauthorized information. As a result, it has a low impact on the confidentiality of the application but no impact on the integrity and availability.
CVE-2025-42899 1 Sap 1 S4core 2026-04-15 4.3 Medium
SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application.
CVE-2025-42901 1 Sap 3 Application Server, Netweaver Application Server For Abap, Sap Web Application Server 2026-04-15 5.4 Medium
SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application.
CVE-2025-42914 1 Sap 1 Fiori 2026-04-15 3.1 Low
Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted.
CVE-2025-42935 1 Sap 5 Abap Platform, As Abap, Netweaver and 2 more 2026-04-15 4.1 Medium
The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the confidentiality of the application, with no impact on integrity or availability.
CVE-2025-42910 1 Sap 1 Supplier Relationship Management 2026-04-15 9 Critical
Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.
CVE-2025-42961 1 Sap 1 Netweaver Application Server For Abap 2026-04-15 4.9 Medium
Due to a missing authorization check in SAP NetWeaver Application server for ABAP, an authenticated user with high privileges could exploit the insufficient validation of user permissions to access sensitive database tables. By leveraging overly permissive access configurations, unauthorized reading of critical data is possible, resulting in a significant impact on the confidentiality of the information stored. However, the integrity and availability of the system remain unaffected.
CVE-2025-42939 1 Sap 2 S/4hana, S4hana 2026-04-15 4.3 Medium
SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability.
CVE-2025-42887 1 Sap 1 Solution Manager 2026-04-15 9.9 Critical
Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system.
CVE-2025-42950 1 Sap 1 Landscape Transformation 2026-04-15 9.9 Critical
SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
CVE-2025-42895 1 Sap 1 Hana-client 2026-04-15 6.9 Medium
Due to insufficient validation of connection property values, the SAP HANA JDBC Client allows a high-privilege locally authenticated user to supply crafted parameters that lead to unauthorized code loading, resulting in low impact on confidentiality and integrity and high impact on availability of the application.
CVE-2025-42924 1 Sap 2 E-recruiting, S4hana 2026-04-15 6.1 Medium
SAP S/4HANA landscape SAP E-Recruiting BSP allows an unauthenticated attacker to craft malicious links, when clicked the victim could be redirected to the page controlled by the attacker. This has low impact on confidentiality and integrity of the application with no impact on availability.