Sap Basis vulnerabilities

CVE-2026-23687 [HIGH] CWE-347 CVE-2026-23687: SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usa

CVE-2026-0484 [MEDIUM] CWE-601 CVE-2026-0484: Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an auth Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated attacker could access a specific transaction code and modify the text data in the system. This vulnerability has a high impact on integrity of the application with no effect on the confidentiality and availability.

CVE-2026-24312 [MEDIUM] CWE-862 CVE-2026-24312: An erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenti An erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenticated administrative user can bypass role restrictions by leveraging permissions from a less sensitive function to execute unauthorized, high-privilege actions. This has a high impact on data integrity, with low impact on confidentiality and no impact

CVE-2025-42911 [MEDIUM] CWE-862 CVE-2025-42911: SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application

CVE-2025-42918 [MEDIUM] CWE-862 CVE-2025-42918: SAP NetWeaver Application Server for ABAP allows authenticated users with access to background proce SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability

CVE-2025-42936 [MEDIUM] CWE-266 CVE-2025-42936: The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguish The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the applicat

CVE-2025-42956 [MEDIUM] CWE-79 CVE-2025-42956: SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading

CVE-2025-42986 [MEDIUM] CWE-862 CVE-2025-42986: Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an aut Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.

CVE-2025-23193 [MEDIUM] CWE-204 CVE-2025-23193: SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability.

CVE-2025-0063 [HIGH] CWE-89 CVE-2025-0063: SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some R SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.

CVE-2025-0066 [CRITICAL] CWE-732 CVE-2025-0066: Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framewo Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application

CVE-2025-0053 [MEDIUM] CWE-209 CVE-2025-0053: SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate furth

CVE-2025-0058 [MEDIUM] CWE-639 CVE-2025-0058: In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a param In SAP Business Workflow and SAP Flexible Workflow, an authenticated attacker can manipulate a parameter in an otherwise legitimate resource request to view sensitive information that should otherwise be restricted. The attacker does not have the ability to modify the information or to make the information unavailable.

CVE-2024-34689 [MEDIUM] CWE-918 CVE-2024-34689: WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible H WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.

CVE-2024-37180 [MEDIUM] CWE-200 CVE-2024-37180: Under certain conditions SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attac Under certain conditions SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to access remote-enabled function module with no further authorization which would otherwise be restricted, the function can be used to read non-sensitive information with low impact on confidentiality of the application.

CVE-2024-39599 [MEDIUM] CWE-693 CVE-2024-39599: Due to a Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform Due to a Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform, a developer can bypass the configured malware scanner API because of a programming error. This leads to a low impact on the application's confidentiality, integrity, and availability.

CVE-2024-34687 [MEDIUM] CWE-79 CVE-2024-34687: SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controll SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user’s browser, which could result in modification, deletion of data, including accessing or deleting files, or stealing session co

CVE-2016-4551 [HIGH] CWE-284 CVE-2016-4551: The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow r The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses written to the Security Audit Log via vectors related to the network landscape, aka SAP Security Note 2190621.