ReportizFlow
Filtered by vendor Sap
Subscriptions
Total
1689 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-42891 | 1 Sap | 1 Enterprise Search For Abap | 2026-04-15 | 5.5 Medium |
| Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on application's availability. | ||||
| CVE-2025-42919 | 1 Sap | 1 Netweaver Application Server Java | 2026-04-15 | 5.3 Medium |
| Due to an Information Disclosure vulnerability in SAP NetWeaver Application Server Java, internal metadata files could be accessed via manipulated URLs. An unauthenticated attacker could exploit this vulnerability by inserting arbitrary path components in the request, allowing unauthorized access to sensitive application metadata. This results in a partial compromise of the confidentiality of the information without affecting the integrity or availability of the application server. | ||||
| CVE-2025-42943 | 1 Sap | 1 Sap Gui | 2026-04-15 | 4.5 Medium |
| SAP GUI for Windows may allow the leak of NTML hashes when specific ABAP frontend services are called with UNC paths. For a successful attack, the attacker needs developer authorization in a specific Application Server ABAP to make changes in the code, and the victim needs to execute by using SAP GUI for Windows. This could trigger automatic NTLM authentication, potentially exposing hashed credentials to an attacker. As a result, it has a high impact on the confidentiality. | ||||
| CVE-2025-42899 | 1 Sap | 1 S4core | 2026-04-15 | 4.3 Medium |
| SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application. | ||||
| CVE-2025-42909 | 1 Sap | 1 Cloud Appliance Library Appliances | 2026-04-15 | 3 Low |
| SAP Cloud Appliance Library Appliances allows an attacker with high privileges to leverage an insecure S/4HANA default profile setting in an existing SAP CAL appliances to gain access to other appliances. This has low impact on confidentiality of the application, integrity and availability is not impacted. | ||||
| CVE-2025-42933 | 1 Sap | 1 Business One | 2026-04-15 | 8.8 High |
| When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs. This leads to exposure of sensitive credentials within http response body. As a result, it has a high impact on the confidentiality, integrity, and availability of the application. | ||||
| CVE-2025-42903 | 1 Sap | 1 Financial Service Claims Management | 2026-04-15 | 4.3 Medium |
| A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability. | ||||
| CVE-2025-42922 | 1 Sap | 4 Java As, Netweaver, Netweaver Java and 1 more | 2026-04-15 | 9.9 Critical |
| SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system. | ||||
| CVE-2025-42885 | 1 Sap | 1 Hana | 2026-04-15 | 5.8 Medium |
| Due to missing authentication, SAP HANA 2.0 (hdbrss) allows an unauthenticated attacker to call a remote-enabled function that will enable them to view information. As a result, it has a low impact on the confidentiality but no impact on the integrity and availability of the system. | ||||
| CVE-2025-42910 | 1 Sap | 1 Supplier Relationship Management | 2026-04-15 | 9 Critical |
| Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application. | ||||
| CVE-2024-47586 | 1 Sap | 1 Netweaver Abap Application Server | 2026-04-15 | 5.3 Medium |
| SAP NetWeaver Application Server for ABAP and ABAP Platform allows an unauthenticated attacker to send a maliciously crafted http request which could cause a null pointer dereference in the kernel. This dereference will result in the system crashing and rebooting, causing the system to be temporarily unavailable. There is no impact on Confidentiality or Integrity. | ||||
| CVE-2025-42874 | 1 Sap | 2 Netweaver, Sap Netweaver | 2026-04-15 | 7.9 High |
| SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control. This has high impact on integrity and availability, with no impact on confidentiality. | ||||
| CVE-2025-42949 | 1 Sap | 1 Abap Platform | 2026-04-15 | 4.9 Medium |
| Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected. | ||||
| CVE-2025-42939 | 1 Sap | 2 S/4hana, S4hana | 2026-04-15 | 4.3 Medium |
| SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability. | ||||
| CVE-2025-42875 | 1 Sap | 2 Netweaver, Sap Netweaver | 2026-04-15 | 6.6 Medium |
| The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker to reuse authorization tokens, violating secure authentication practices causing low impact on Confidentiality, Integrity and Availability of the application. | ||||
| CVE-2025-24874 | 1 Sap | 1 Commerce Backoffice | 2026-04-15 | 6.8 Medium |
| SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information. | ||||
| CVE-2025-42946 | 1 Sap | 1 S/4hana | 2026-04-15 | 6.9 Medium |
| Due to directory traversal vulnerability in SAP S/4HANA (Bank Communication Management), an attacker with high privileges and access to a specific transaction and method in Bank Communication Management could gain unauthorized access to sensitive operating system files. This could allow the attacker to potentially read or delete these files hence causing a high impact on confidentiality and low impact on integrity. There is no impact on availability of the system. | ||||
| CVE-2025-42930 | 1 Sap | 1 Business Planning And Consolidation | 2026-04-15 | 6.5 Medium |
| SAP Business Planning and Consolidation allows an authenticated standard user to call a function module by crafting specific parameters that causes a loop, consuming excessive resources and resulting in system unavailability. This leads to high impact on the availability of the application, there is no impact on confidentiality or integrity. | ||||
| CVE-2025-42934 | 1 Sap | 1 S/4hana | 2026-04-15 | 4.3 Medium |
| SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has a low impact on the application's integrity and no impact on confidentiality or availability. | ||||
| CVE-2025-42976 | 1 Sap | 2 Netweaver, Netweaver Application Server For Abap | 2026-04-15 | 8.1 High |
| SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There is no ability to modify any information. | ||||