CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42977 – Directory Traversal vulnerability in SAP NetWeaver Visual Composer
https://notcve.org/view.php?id=CVE-2025-42977
10 Jun 2025 — SAP NetWeaver Visual Composer contains a Directory Traversal vulnerability caused by insufficient validation of input paths provided by a high-privileged user. This allows an attacker to read or modify arbitrary files, resulting in a high impact on confidentiality and a low impact on integrity. • https://me.sap.com/notes/3610591 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 14%CPEs: 1EXPL: 0CVE-2025-42999 – SAP NetWeaver Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2025-42999
13 May 2025 — SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content... • https://me.sap.com/notes/3604119 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 73%CPEs: 1EXPL: 17CVE-2025-31324 – SAP NetWeaver Unrestricted File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-31324
24 Apr 2025 — SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries. • https://github.com/rxerium/CVE-2025-31324 • CWE-434: Unrestricted Upload of File with Dangerous Type •