cbcvebase.
CVE-2026-0488
published 2026-02-10

CVE-2026-0488: An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized…

PriorityP266critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.49%
38.4th percentile
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
sapnetweaver_application_server_abap
saps_4hana
saps_4hana
saps_4hana
saps_4hana
saps_4hana
saps_4hana
saps_4hana
saps_4hana
sapwebclient_ui_framework
sapwebclient_ui_framework
sapwebclient_ui_framework
sapwebclient_ui_framework
sapwebclient_ui_framework
sapwebclient_ui_framework
sapwebclient_ui_framework
sapwebclient_ui_framework
sapwebclient_ui_framework
sap_sesap_crm_and_sap_s_4hana
sap_sesap_crm_and_sap_s_4hana
sap_sesap_crm_and_sap_s_4hana
sap_sesap_crm_and_sap_s_4hana
sap_sesap_crm_and_sap_s_4hana
sap_sesap_crm_and_sap_s_4hana
sap_sesap_crm_and_sap_s_4hana

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for authenticated calls to generic function modules in SAP CRM and SAP S/4HANA (Scripting Editor) that attempt to execute arbitrary SQL statements, which is the core exploitation vector for CVE-2026-0488.
  • ·No public exploit exists for CVE-2026-0488 at time of publication; exploitation requires an authenticated attacker, so monitoring for abnormal authenticated sessions and privilege escalation in SAP CRM / S/4HANA is the primary defensive posture.
  • ·Fixes were made available on February 18–19, 2026 for both Linux and Windows deployments of SAP NetWeaver Application Server ABAP (cpe:2.3:a:sap:netweaver_application_server_abap); ensure patching is applied to all affected platforms.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.