VYPR
Vendor

SAP

SAP SE doing business as SAP, is a German multinational software company based in Walldorf, Baden-Württemberg, that is the world's largest vendor of enterprise software.

Founded 1972
Products
593
CVEs
1,818
Across products
1,145
Status
Private

Products

593
View all 593 products →

Recent CVEs

1,818
View all 1,818 CVEs →
  • CVE-2016-2386CriKEVFeb 16, 2016
    risk 0.84cvss 9.8epss 0.71

    SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.

  • CVE-2010-5326CriKEVMay 13, 2016
    risk 0.78cvss 10.0epss 0.17

    The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour"…

  • CVE-2015-7241CriSep 6, 2017
    risk 0.68cvss 9.8epss 0.12

    XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.

  • CVE-2017-12637HigKEVAug 7, 2017
    risk 0.68cvss 7.5epss 0.95

    Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security…

  • CVE-2016-3976HigKEVApr 7, 2016
    risk 0.67cvss 7.5epss 0.47

    Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.

  • CVE-2016-6256CriMay 26, 2017
    risk 0.66cvss 9.6epss 0.08

    SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP…

  • CVE-2025-42890CriNov 11, 2025
    risk 0.65cvss 10.0epss 0.01

    SQL Anywhere Monitor (Non-GUI) baked credentials into the code,exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution.This could cause high impact on confidentiality integrity and availability of the…

  • CVE-2025-42944CriSep 9, 2025
    risk 0.65cvss 10.0epss 0.03

    Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command…

  • CVE-2025-42967CriJul 8, 2025
    risk 0.65cvss 9.9epss 0.01

    SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on…

  • CVE-2026-44748CriJun 9, 2026
    risk 0.64cvss 9.9epss 0.00

    SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information leading to…

  • CVE-2026-27671CriJun 9, 2026
    risk 0.64cvss 9.8epss 0.00

    Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This…

  • CVE-2026-27681CriApr 14, 2026
    risk 0.64cvss 9.9epss 0.01

    Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and…

  • CVE-2026-0501CriJan 13, 2026
    risk 0.64cvss 9.9epss 0.00

    Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity,…

  • CVE-2025-42880CriDec 9, 2025
    risk 0.64cvss 9.9epss 0.04

    Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,…

  • CVE-2025-42887CriNov 11, 2025
    risk 0.64cvss 9.9epss 0.01

    Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality,…

  • CVE-2025-42937CriOct 14, 2025
    risk 0.64cvss 9.8epss 0.01

    SAP Print Service (SAPSprint) performs insufficient validation of path information provided by users. An unauthenticated attacker could traverse to the parent directory and over-write system files causing high impact on confidentiality integrity and availability of the…

  • CVE-2025-42922CriSep 9, 2025
    risk 0.64cvss 9.9epss 0.01

    SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system.

  • CVE-2025-42957CriAug 12, 2025
    risk 0.64cvss 9.9epss 0.02

    SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a…

  • CVE-2025-42950CriAug 12, 2025
    risk 0.64cvss 9.9epss 0.01

    SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability…

  • CVE-2025-31330CriApr 8, 2025
    risk 0.64cvss 9.9epss 0.01

    SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability…