Sap Netweaver And Abap Platform
by SAP
CVEs (43)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-0070 | Cri | 0.64 | 9.9 | 0.01 | Jan 14, 2025 | SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential… | ||
| CVE-2026-23687 | Hig | 0.57 | 8.8 | 0.00 | Feb 10, 2026 | SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized… | ||
| CVE-2025-42938 | Med | 0.40 | 6.1 | 0.00 | Sep 9, 2025 | Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s… | ||
| CVE-2025-42948 | Med | 0.40 | 6.1 | 0.00 | Aug 12, 2025 | Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s… | ||
| CVE-2024-47586 | Med | 0.34 | 5.3 | 0.04 | Nov 12, 2024 | SAP NetWeaver Application Server for ABAP and ABAP Platform allows an unauthenticated attacker to send a maliciously crafted http request which could cause a null pointer dereference in the kernel. This dereference will result in the system crashing and rebooting, causing the… | ||
| CVE-2026-24320 | 0.00 | — | 0.00 | Feb 10, 2026 | Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may… | |||
| CVE-2026-0509 | 0.00 | — | 0.00 | Feb 10, 2026 | SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no… | |||
| CVE-2026-0506 | 0.00 | — | 0.00 | Jan 13, 2026 | Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data… | |||
| CVE-2025-42956 | 0.00 | — | 0.00 | Jul 8, 2025 | SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page… | |||
| CVE-2025-42986 | 0.00 | — | 0.00 | Jul 8, 2025 | Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality,… | |||
| CVE-2025-0063 | 0.00 | — | 0.01 | Jan 14, 2025 | SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of… | |||
| CVE-2025-0053 | 0.00 | — | 0.00 | Jan 14, 2025 | SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the… | |||
| CVE-2024-41728 | 0.00 | — | 0.00 | Sep 10, 2024 | Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view… | |||
| CVE-2024-44114 | 0.00 | — | 0.00 | Sep 10, 2024 | SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application. | |||
| CVE-2024-41734 | 0.00 | — | 0.00 | Aug 13, 2024 | Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability. | |||
| CVE-2024-37180 | 0.00 | — | 0.00 | Jul 9, 2024 | Under certain conditions SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to access remote-enabled function module with no further authorization which would otherwise be restricted, the function can be used to read non-sensitive information with low… | |||
| CVE-2024-39599 | 0.00 | — | 0.00 | Jul 9, 2024 | Due to a Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform, a developer can bypass the configured malware scanner API because of a programming error. This leads to a low impact on the application's confidentiality, integrity, and… | |||
| CVE-2024-33001 | 0.00 | — | 0.00 | Jun 11, 2024 | SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality… | |||
| CVE-2024-34687 | 0.00 | — | 0.00 | May 14, 2024 | SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user’s browser, which could result in modification,… | |||
| CVE-2024-21738 | 0.00 | — | 0.00 | Jan 9, 2024 | SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful… |
- risk 0.64cvss 9.9epss 0.01
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential…
- risk 0.57cvss 8.8epss 0.00
SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized…
- risk 0.40cvss 6.1epss 0.00
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s…
- risk 0.40cvss 6.1epss 0.00
Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s…
- risk 0.34cvss 5.3epss 0.04
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an unauthenticated attacker to send a maliciously crafted http request which could cause a null pointer dereference in the kernel. This dereference will result in the system crashing and rebooting, causing the…
- CVE-2026-24320Feb 10, 2026risk 0.00cvss —epss 0.00
Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. This may…
- CVE-2026-0509Feb 10, 2026risk 0.00cvss —epss 0.00
SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated, low-privileged user to perform background Remote Function Calls without the required S_RFC authorization in certain cases. This can result in a high impact on integrity and availability, and no…
- CVE-2026-0506Jan 13, 2026risk 0.00cvss —epss 0.00
Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data…
- CVE-2025-42956Jul 8, 2025risk 0.00cvss —epss 0.00
SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page…
- CVE-2025-42986Jul 8, 2025risk 0.00cvss —epss 0.00
Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality,…
- CVE-2025-0063Jan 14, 2025risk 0.00cvss —epss 0.01
SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of…
- CVE-2025-0053Jan 14, 2025risk 0.00cvss —epss 0.00
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the…
- CVE-2024-41728Sep 10, 2024risk 0.00cvss —epss 0.00
Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view…
- CVE-2024-44114Sep 10, 2024risk 0.00cvss —epss 0.00
SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.
- CVE-2024-41734Aug 13, 2024risk 0.00cvss —epss 0.00
Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.
- CVE-2024-37180Jul 9, 2024risk 0.00cvss —epss 0.00
Under certain conditions SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to access remote-enabled function module with no further authorization which would otherwise be restricted, the function can be used to read non-sensitive information with low…
- CVE-2024-39599Jul 9, 2024risk 0.00cvss —epss 0.00
Due to a Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform, a developer can bypass the configured malware scanner API because of a programming error. This leads to a low impact on the application's confidentiality, integrity, and…
- CVE-2024-33001Jun 11, 2024risk 0.00cvss —epss 0.00
SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality…
- CVE-2024-34687May 14, 2024risk 0.00cvss —epss 0.00
SAP NetWeaver Application Server for ABAP and ABAP Platform do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker can control code that is executed within a user’s browser, which could result in modification,…
- CVE-2024-21738Jan 9, 2024risk 0.00cvss —epss 0.00
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful…
Page 1 of 3