CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42978 – Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java
https://notcve.org/view.php?id=CVE-2025-42978
08 Jul 2025 — The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might lead to the outbound connection being established to a possibly malicious remote TLS server and hence disclose information. Integrity and Availability are not impacted. • https://me.sap.com/notes/3557179 • CWE-940: Improper Verification of Source of a Communication Channel •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42963 – Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer )
https://notcve.org/view.php?id=CVE-2025-42963
08 Jul 2025 — A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment. • https://me.sap.com/notes/3621771 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-42989 – Missing Authorization check in SAP NetWeaver Application Server for ABAP
https://notcve.org/view.php?id=CVE-2025-42989
10 Jun 2025 — RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application. • https://me.sap.com/notes/3600840 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30015 – Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)
https://notcve.org/view.php?id=CVE-2025-30015
08 Apr 2025 — Due to incorrect memory address handling in ABAP SQL of SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker with high privileges could execute certain forms of SQL queries leading to manipulation of content in the output variable. This vulnerability has a low impact on the confidentiality, integrity and the availability of the application. Debido a la gestión incorrecta de direcciones de memoria en ABAP SQL de SAP NetWeaver y la plataforma ABAP (Servidor de Aplicaciones ABAP... • https://me.sap.com/notes/3565944 • CWE-787: Out-of-bounds Write •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2025-26653 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-26653
08 Apr 2025 — SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page, the injected script gets executed, potentially compromising the confidentiality and integrity within the scope of the victim�s browser. Availability is not impacted. SAP NetWeaver Application Server ABAP no codifi... • https://me.sap.com/notes/3559307 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-23186 – Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2025-23186
08 Apr 2025 — In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application. En ciertas circunstancias, SAP NetWeaver Application Server ABAP permit... • https://me.sap.com/notes/3554667 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 0CVE-2025-26659 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-26659
11 Mar 2025 — SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the malicious JavaScript payload executes in the scope of victim�s browser potentially compromising their data and/or manipulating browser content. This leads to a limited impact on confidentiality and integrity. There... • https://me.sap.com/notes/3552824 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 12EXPL: 0CVE-2025-0070 – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-0070
14 Jan 2025 — SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability. • https://me.sap.com/notes/3537476 • CWE-287: Improper Authentication •
CVSS: 6.0EPSS: 0%CPEs: 7EXPL: 0CVE-2025-0059 – Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-0059
14 Jan 2025 — Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application. • https://me.sap.com/notes/3503138 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0053 – Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-0053
14 Jan 2025 — SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits. • https://me.sap.com/notes/3536461 • CWE-209: Generation of Error Message Containing Sensitive Information •