CVE-2026-0498Code Injection in SE SAP S 4hana

CWE-94Code Injection4 documents4 sources
Severity
7.2HIGHNVD
CNA9.1
EPSS
0.1%
top 79.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP S 4hanaSAP S 4 Hana
Timeline
PublishedJan 13

Description

SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

NVDsap/s_4_hana8 versions+7
CVEListV5sap_se/sap_s_4hana8 versions+7

Patches

Patch: url.sap

🔴Vulnerability Details

2
GHSA
GHSA-4p53-w5pc-f48w: SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC2026-01-13
CVEList
Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)2026-01-13

🕵️Threat Intelligence

1
Wiz
CVE-2026-0498 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-0498 — Code Injection in SAP SE SAP S 4hana | cvebase