Search Results (1699 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-42882 1 Sap 6 Application Server, Netweaver, Netweaver Abap and 3 more 2026-04-15 4.3 Medium
Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with basic privileges could execute a specific function module in ABAP to retrieve restricted technical information from the system. This disclosure of environment details of the system could further assist this attacker to plan subsequent attacks. As a result, this vulnerability has a low impact on confidentiality, with no impact on the integrity or availability of the application.
CVE-2025-42884 1 Sap 1 Netweaver Enterprise Portal 2026-04-15 6.5 Medium
SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI provider.�This could further lead to disclosure or modification of information about the server. There is no impact on availability.
CVE-2025-42912 1 Sap 1 Fiori 2026-04-15 6.5 Medium
SAP HCM My Timesheet Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected.
CVE-2025-42917 1 Sap 1 Fiori 2026-04-15 6.5 Medium
SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected.
CVE-2025-42876 1 Sap 2 Hana, S/4 Hana 2026-04-15 7.1 High
Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all company codes. Successful exploitation could result in a high impact to confidentiality and a low impact to integrity, while availability remains unaffected.
CVE-2025-42941 1 Sap 1 Fiori Launchpad 2026-04-15 3.5 Low
SAP Fiori (Launchpad) is vulnerable to Reverse Tabnabbing vulnerability due to inadequate external navigation protections for its link (<a>) elements. An attacker with administrative user privileges could exploit this by leveraging compromised or malicious pages. While administrative access is necessary for certain configurations, the attacker does not need the administrative privileges to execute the attack. This could result in unintended manipulation of user sessions or exposure of sensitive information. The issue impacts the confidentiality and integrity of the system, but the availability remains unaffected.
CVE-2025-30017 1 Sap 1 Solution Manager 2026-04-15 4.4 Medium
Due to a missing authorization check, an authenticated attacker could upload a file as a template for solution documentation in SAP Solution Manager 7.1. After successful exploitation, an attacker can cause limited impact on the integrity and availability of the application.
CVE-2025-42874 1 Sap 2 Netweaver, Sap Netweaver 2026-04-15 7.9 High
SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control. This has high impact on integrity and availability, with no impact on confidentiality.
CVE-2025-42901 1 Sap 3 Application Server, Netweaver Application Server For Abap, Sap Web Application Server 2026-04-15 5.4 Medium
SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application.
CVE-2025-42906 1 Sap 1 Commerce Cloud 2026-04-15 5.3 Medium
SAP Commerce Cloud contains a path traversal vulnerability that may allow users to access web applications such as the Administration Console from addresses where the Administration Console is not explicitly deployed. This could potentially bypass configured access restrictions, resulting in a low impact on confidentiality, with no impact on the integrity or availability of the application.
CVE-2025-42947 1 Sap 1 Fica Odn Framework 2026-04-15 5.5 Medium
SAP FICA ODN framework allows a high privileged user to inject value inside the local variable which can then be executed by the application. An attacker could thereby control the behaviour of the application causing high impact on integrity, low impact on availability and no impact on confidentiality of the application.
CVE-2025-42875 1 Sap 2 Netweaver, Sap Netweaver 2026-04-15 6.6 Medium
The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker to reuse authorization tokens, violating secure authentication practices causing low impact on Confidentiality, Integrity and Availability of the application.
CVE-2024-42372 1 Sap 1 Netweaver System Landscape Directory 2026-04-15 6.5 Medium
Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the application.
CVE-2024-47590 1 Sap 1 Web Dispatcher 2026-04-15 8.8 High
An unauthenticated attacker can create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, input data will be used by the web site page generation to create content which when executed in the victim's browser (XXS) or transmitted to another server (SSRF) gives the attacker the ability to execute arbitrary code on the server fully compromising confidentiality, integrity and availability.
CVE-2024-47586 1 Sap 1 Netweaver Abap Application Server 2026-04-15 5.3 Medium
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an unauthenticated attacker to send a maliciously crafted http request which could cause a null pointer dereference in the kernel. This dereference will result in the system crashing and rebooting, causing the system to be temporarily unavailable. There is no impact on Confidentiality or Integrity.
CVE-2025-42891 1 Sap 1 Enterprise Search For Abap 2026-04-15 5.5 Medium
Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on application's availability.
CVE-2025-42928 1 Sap 1 Jconnect 2026-04-15 9.1 Critical
Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on confidentiality, integrity and availability of the system.
CVE-2025-42890 1 Sap 1 Sql Anywhere 2026-04-15 10 Critical
SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the system.
CVE-2025-42888 2 Microsoft, Sap 4 Windows, Gui, Gui For Windows and 1 more 2026-04-15 5.5 Medium
SAP GUI for Windows may allow a highly privileged user on the affected client PC to locally access sensitive information stored in process memory during runtime.This vulnerability has a high impact on confidentiality, with no impact on integrity and availability.
CVE-2025-42885 1 Sap 1 Hana 2026-04-15 5.8 Medium
Due to missing authentication, SAP HANA 2.0 (hdbrss) allows an unauthenticated attacker to call a remote-enabled function that will enable them to view information. As a result, it has a low impact on the confidentiality but no impact on the integrity and availability of the system.