CVE-2026-0488

CWE-862 — Missing Authorization4 documents4 sources

Severity

9.9CRITICAL

EPSS

0.0%

top 94.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP CRM AND SAP S/4hana (scripting Editor)SAP Netweaver Application Server Abap SAP S\/4hana +1 more

Timeline

PublishedFeb 10

Description

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages4 packages

▶CVEListV5sap_se/sap_crm_and_sap_s/4hana_(scripting_editor)18 versions+17

▶NVDsap/s\/4hana8 versions+7

▶NVDsap/netweaver_application700

▶NVDsap/webclient_ui_framework9 versions+8

🔴Vulnerability Details

GHSA

GHSA-rj9r-f39x-h33w: An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorize↗2026-02-10

▶

CVEList

Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)↗2026-02-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0488 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶