Sap Se Sap Netweaver Application Server Abap vulnerabilities

CVE-2026-34257 [MEDIUM] CWE-601 CVE-2026-34257: Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated a Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability.

CVE-2025-42976 [HIGH] CWE-125 CVE-2025-42976: SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a req SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly c

CVE-2025-42945 [MEDIUM] CWE-94 CVE-2025-42945: SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker cou SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability.

CVE-2025-42975 [MEDIUM] CWE-79 CVE-2025-42975: SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a U SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a URL link which, when accessed on the BIC Document application, embeds a malicious script. When a victim clicks on this link, the script executes in the victim's browser, allowing the attacker to access and/or modify information related to the web client

CVE-2025-42981 [MEDIUM] CWE-601 CVE-2025-42981: Due to an open redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated a Due to an open redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft a URL link embedding a malicious script at a location not properly sanitized. When a victim clicks on this link, the script executes within the victim's browser, redirecting them to a site controlled by the attacker. This allows th

CVE-2025-42956 [MEDIUM] CWE-79 CVE-2025-42956: SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading

CVE-2025-23186 [HIGH] CWE-94 CVE-2025-23186: In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to cra In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a sign

CVE-2025-27437 [MEDIUM] CWE-862 CVE-2025-27437: A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver A A Missing Authorization Check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive data without further authorization and with no effect on availability.

CVE-2025-26653 [MEDIUM] CWE-79 CVE-2025-26653: SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading t SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page, the injected script gets executed, potentially compro

CVE-2025-26659 [MEDIUM] CWE-79 CVE-2025-26659: SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading t SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the malicious JavaScript payload executes in the scope of

CVE-2025-25242 [MEDIUM] CWE-79 CVE-2025-25242: SAP NetWeaver Application Server ABAP allows malicious scripts to be executed in the application, po SAP NetWeaver Application Server ABAP allows malicious scripts to be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity.

CVE-2025-0059 [MEDIUM] CWE-497 CVE-2025-0059: Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the d

CVE-2025-0068 [MEDIUM] CWE-862 CVE-2025-0068: An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authori An obsolete functionality in SAP NetWeaver Application Server ABAP did not perform necessary authorization checks. Because of this, an authenticated attacker could obtain information that would otherwise be restricted. It has no impact on integrity or availability on the application.

CVE-2024-54198 [HIGH] CWE-914 CVE-2024-54198: In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to cra In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a sig

CVE-2024-47593 [MEDIUM] CWE-276 CVE-2024-47593: SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTM

CVE-2024-41732 [MEDIUM] CWE-284 CVE-2024-41732: SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls. Depending on the web applications provided by this server, the attacker might inject CSS code or links into the web application that could allow the attacker to read or modify information. There is no impact on availabili

CVE-2024-24740 [MEDIUM] CWE-732 CVE-2024-24740: SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.8 SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.

CVE-2022-29610 [MEDIUM] CWE-79 CVE-2022-29610: SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could result in Stored Cross-Site Scripting (XSS) attack.

CVE-2021-33665 [MEDIUM] CWE-79 CVE-2021-33665: SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL - 7.49,7.53,7.77,7.81,7.84, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

CVE-2021-33664 [MEDIUM] CWE-79 CVE-2021-33664: SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 7 SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.