CVSS: 8.4EPSS: 0%CPEs: 7EXPL: 0CVE-2026-0507 – OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK
https://notcve.org/view.php?id=CVE-2026-0507
13 Jan 2026 — Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability. • https://me.sap.com/notes/3675151 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2025-42908 – Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP
https://notcve.org/view.php?id=CVE-2025-42908
14 Oct 2025 — Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restrict... • https://me.sap.com/notes/3642021 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 10EXPL: 0CVE-2025-42902 – Memory Corruption vulnerability in SAP Netweaver AS ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-42902
14 Oct 2025 — Due to the memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform, an unauthenticated attacker can send a corrupted SAP Logon Ticket or SAP Assertion Ticket to the SAP application server. This leads to a dereference of NULL which makes the work process crash. As a result, it has a low impact on the availability but no impact on the confidentiality and integrity. • https://me.sap.com/notes/3627308 • CWE-476: NULL Pointer Dereference •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-42958 – Missing Authentication check in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2025-42958
09 Sep 2025 — Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities. This results in a high impact on the confidentiality, integrity, and availability of the application. • https://me.sap.com/notes/3627373 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2025-42945 – HTML Injection vulnerability in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2025-42945
12 Aug 2025 — SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability. SAP NetWeaver Application Server ABAP presenta una vulnerabilidad de inyección HTML. • https://me.sap.com/notes/3585491 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.1EPSS: 0%CPEs: 10EXPL: 0CVE-2025-42935 – Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager)
https://notcve.org/view.php?id=CVE-2025-42935
12 Aug 2025 — The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the confidentiality of the application, with no impact on integrity or availability. SAP NetWeaver Application Server ABAP y ABAP Platform Internet Communication Manager (ICM) permite a los usuarios autorizados con privilegios de administrad... • https://me.sap.com/notes/3601480 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30015 – Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)
https://notcve.org/view.php?id=CVE-2025-30015
08 Apr 2025 — Due to incorrect memory address handling in ABAP SQL of SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker with high privileges could execute certain forms of SQL queries leading to manipulation of content in the output variable. This vulnerability has a low impact on the confidentiality, integrity and the availability of the application. Debido a la gestión incorrecta de direcciones de memoria en ABAP SQL de SAP NetWeaver y la plataforma ABAP (Servidor de Aplicaciones ABAP... • https://me.sap.com/notes/3565944 • CWE-787: Out-of-bounds Write •
CVSS: 4.7EPSS: 0%CPEs: 8EXPL: 0CVE-2025-26653 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-26653
08 Apr 2025 — SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page, the injected script gets executed, potentially compromising the confidentiality and integrity within the scope of the victim�s browser. Availability is not impacted. SAP NetWeaver Application Server ABAP no codifi... • https://me.sap.com/notes/3559307 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-23186 – Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2025-23186
08 Apr 2025 — In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application. En ciertas circunstancias, SAP NetWeaver Application Server ABAP permit... • https://me.sap.com/notes/3554667 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 0CVE-2025-26659 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-26659
11 Mar 2025 — SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting (XSS) vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the malicious JavaScript payload executes in the scope of victim�s browser potentially compromising their data and/or manipulating browser content. This leads to a limited impact on confidentiality and integrity. There... • https://me.sap.com/notes/3552824 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •