CVE-2026-24316 — Server-Side Request Forgery in SE SAP Netweaver Application Server FOR Abap

CWE-918 — Server-Side Request Forgery3 documents3 sources

Severity

6.4MEDIUMNVD

EPSS

0.0%

top 90.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server FOR Abap

Timeline

PublishedMar 10

Description

SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or external endpoints. The report is therefore vulnerable to Server-Side Request Forgery (SSRF). Successful exploitation could lead to interaction with potentially sensitive internal endpoints, resulting in a low impact on data confidentiality and integrity. There is no impact on availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages1 packages

▶CVEListV5sap_se/sap_netweaver_application_server_for_abap12 versions+11

🔴Vulnerability Details

GHSA

GHSA-x77x-2wjm-8x4r: SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary internal or ex↗2026-03-10

▶

CVEList

Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP↗2026-03-10

▶