Filtered by vendor Sap
Subscriptions
Total
1690 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-42889 | 1 Sap | 1 Starter Solution | 2026-04-15 | 5.4 Medium |
| SAP Starter Solution allows an authenticated attacker to execute crafted database queries, thereby exposing the back-end database. As a result, this vulnerability has a low impact on the application's confidentiality and integrity but no impact on its availability. | ||||
| CVE-2025-42888 | 2 Microsoft, Sap | 4 Windows, Gui, Gui For Windows and 1 more | 2026-04-15 | 5.5 Medium |
| SAP GUI for Windows may allow a highly privileged user on the affected client PC to locally access sensitive information stored in process memory during runtime.This vulnerability has a high impact on confidentiality, with no impact on integrity and availability. | ||||
| CVE-2020-37022 | 2 Openz, Sap | 2 Erp, Erp | 2026-04-15 | 6.4 Medium |
| OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module's name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. | ||||
| CVE-2025-42950 | 1 Sap | 1 Landscape Transformation | 2026-04-15 | 9.9 Critical |
| SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | ||||
| CVE-2025-42903 | 1 Sap | 1 Financial Service Claims Management | 2026-04-15 | 4.3 Medium |
| A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability. | ||||
| CVE-2025-42885 | 1 Sap | 1 Hana | 2026-04-15 | 5.8 Medium |
| Due to missing authentication, SAP HANA 2.0 (hdbrss) allows an unauthenticated attacker to call a remote-enabled function that will enable them to view information. As a result, it has a low impact on the confidentiality but no impact on the integrity and availability of the system. | ||||
| CVE-2025-42928 | 1 Sap | 1 Jconnect | 2026-04-15 | 9.1 Critical |
| Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on confidentiality, integrity and availability of the system. | ||||
| CVE-2025-42872 | 1 Sap | 1 Netweaver Enterprise Portal | 2026-04-15 | 6.1 Medium |
| Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal, an unauthenticated attacker could inject malicious scripts that execute in the context of other users� browsers, allowing the attacker to steal session cookies, tokens, and other sensitive information. As a result, the vulnerability has a low impact on confidentiality and integrity and no impact on availability. | ||||
| CVE-2025-42917 | 1 Sap | 1 Fiori | 2026-04-15 | 6.5 Medium |
| SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected. | ||||
| CVE-2025-42907 | 2 Sap, Sap Se | 2 Businessobjects Bi Platform, Sap Business Objects Business Intgelligence Platform | 2026-04-15 | 4.3 Medium |
| SAP BI Platform allows an attacker to modify the IP address of the LogonToken for the OpenDoc. On accessing the modified link in the browser a different server could get the ping request. This has low impact on integrity with no impact on confidentiality and availability of the system. | ||||
| CVE-2025-42891 | 1 Sap | 1 Enterprise Search For Abap | 2026-04-15 | 5.5 Medium |
| Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on application's availability. | ||||
| CVE-2025-24874 | 1 Sap | 1 Commerce Backoffice | 2026-04-15 | 6.8 Medium |
| SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information. | ||||
| CVE-2025-42949 | 1 Sap | 1 Abap Platform | 2026-04-15 | 4.9 Medium |
| Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected. | ||||
| CVE-2025-42876 | 1 Sap | 2 Hana, S/4 Hana | 2026-04-15 | 7.1 High |
| Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all company codes. Successful exploitation could result in a high impact to confidentiality and a low impact to integrity, while availability remains unaffected. | ||||
| CVE-2025-42935 | 1 Sap | 5 Abap Platform, As Abap, Netweaver and 2 more | 2026-04-15 | 4.1 Medium |
| The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the confidentiality of the application, with no impact on integrity or availability. | ||||
| CVE-2025-42883 | 1 Sap | 5 Application Server, Netweaver, Netweaver Abap and 2 more | 2026-04-15 | 2.7 Low |
| Migration Workbench (DX Workbench) in SAP NetWeaver Application Server for ABAP fails to trigger a malware scan when an attacker with administrative privileges uploads files to the application server. An attacker could leverage this and upload a malicious file into the system. This results in a low impact on the integrity of the application. | ||||
| CVE-2025-42887 | 1 Sap | 1 Solution Manager | 2026-04-15 | 9.9 Critical |
| Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system. | ||||
| CVE-2025-30017 | 1 Sap | 1 Solution Manager | 2026-04-15 | 4.4 Medium |
| Due to a missing authorization check, an authenticated attacker could upload a file as a template for solution documentation in SAP Solution Manager 7.1. After successful exploitation, an attacker can cause limited impact on the integrity and availability of the application. | ||||
| CVE-2024-44120 | 1 Sap | 1 Netweaver Enterprise Portal | 2026-04-15 | 4.7 Medium |
| SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site scripting due to insufficient encoding of user-controlled input. An unauthenticated attacker could craft a malicious URL and trick a user to click it. If the victim clicks on this crafted URL before it times out, then the attacker could read and manipulate user content in the browser. | ||||
| CVE-2025-42937 | 1 Sap | 1 Sapsprint | 2026-04-15 | 9.8 Critical |
| SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system files causing high impact on confidentiality integrity and availability of the application. | ||||