CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2025-26653 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-26653
08 Apr 2025 — SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page, the injected script gets executed, potentially compromising the confidentiality and integrity within the scope of the victim�s browser. Availability is not impacted. SAP NetWeaver Application Server ABAP no codifi... • https://me.sap.com/notes/3559307 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-23186 – Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2025-23186
08 Apr 2025 — In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application. En ciertas circunstancias, SAP NetWeaver Application Server ABAP permit... • https://me.sap.com/notes/3554667 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27436 – Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2025-27436
11 Mar 2025 — The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application. • https://me.sap.com/notes/3565835 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27433 – Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2025-27433
11 Mar 2025 — The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on confidentiality and availability of the application. • https://me.sap.com/notes/3565835 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 2.4EPSS: 0%CPEs: 7EXPL: 0CVE-2025-27432 – Missing Authorization check in SAP Electronic Invoicing for Brazil (eDocument Cockpit)
https://notcve.org/view.php?id=CVE-2025-27432
11 Mar 2025 — The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorized access to each transaction. By executing the specific ABAP method within the ABAP system, an unauthorized attacker could call each transaction and view the inbound delivery details. This vulnerability has a low impact on the confidentiality with no effect on the integrity and the availability of the application. • https://me.sap.com/notes/3568865 • CWE-862: Missing Authorization •
CVSS: 3.5EPSS: 0%CPEs: 22EXPL: 0CVE-2025-27430 – Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)
https://notcve.org/view.php?id=CVE-2025-27430
11 Mar 2025 — Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability • https://me.sap.com/notes/3561861 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-26660 – Broken Access Control in SAP Fiori apps (Posting Library)
https://notcve.org/view.php?id=CVE-2025-26660
11 Mar 2025 — SAP Fiori applications using the posting library fail to properly configure security settings during the setup process, leaving them at default or inadequately defined. This vulnerability allows an attacker with low privileges to bypass access controls within the application, enabling them to potentially modify data. Confidentiality and Availability are not impacted. • https://me.sap.com/notes/3557655 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 0CVE-2025-26659 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-26659
11 Mar 2025 — SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the malicious JavaScript payload executes in the scope of victim�s browser potentially compromising their data and/or manipulating browser content. This leads to a limited impact on confidentiality and integrity. There... • https://me.sap.com/notes/3552824 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-26656 – Missing Authorization check in S/4HANA (Manage Purchasing Info Records)
https://notcve.org/view.php?id=CVE-2025-26656
11 Mar 2025 — OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application. • https://me.sap.com/notes/3474392 • CWE-862: Missing Authorization •
CVSS: 3.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-26655 – Missing Authorization check in SAP JIT(Outbound)
https://notcve.org/view.php?id=CVE-2025-26655
11 Mar 2025 — SAP Just In Time(JIT) does not perform necessary authorization checks for an authenticated user, allowing attacker to escalate privileges that would otherwise be restricted, potentially causing a low impact on the integrity of the application.Confidentiality and Availability are not impacted. • https://me.sap.com/notes/3347991 • CWE-862: Missing Authorization •