CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-42957 – Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
https://notcve.org/view.php?id=CVE-2025-42957
12 Aug 2025 — SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. SAP S/4HANA permite a un atacante con privilegios de usuario explotar una vulnerabilidad en el módulo d... • https://me.sap.com/notes/3627998 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.9EPSS: 0%CPEs: 9EXPL: 0CVE-2025-42946 – Directory Traversal vulnerability in SAP S/4HANA (Bank Communication Management)
https://notcve.org/view.php?id=CVE-2025-42946
12 Aug 2025 — Due to directory traversal vulnerability in SAP S/4HANA (Bank Communication Management), an attacker with high privileges and access to a specific transaction and method in Bank Communication Management could gain unauthorized access to sensitive operating system files. This could allow the attacker to potentially read or delete these files hence causing a high impact on confidentiality and low impact on integrity. There is no impact on availability of the system. Debido a una vulnerabilidad de directory tr... • https://me.sap.com/notes/3614804 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-42934 – CRLF Injection vulnerability in SAP S/4HANA (Supplier invoice)
https://notcve.org/view.php?id=CVE-2025-42934
12 Aug 2025 — SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has a low impact on the application's integrity and no impact on confidentiality or availability. La factura de proveedor de SAP S/4HANA es vulnerable a la inyección de CRLF. Un atacante con privilegios de usuario puede eludir la lista d... • https://me.sap.com/notes/3616863 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 9.9EPSS: 0%CPEs: 11EXPL: 0CVE-2025-42967 – Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation)
https://notcve.org/view.php?id=CVE-2025-42967
08 Jul 2025 — SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application. SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code po... • https://me.sap.com/notes/3618955 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-42987 – Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statement)
https://notcve.org/view.php?id=CVE-2025-42987
10 Jun 2025 — SAP Manage Processing Rules (For Bank Statement) allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be restricted, compromising the integrity of the application. • https://me.sap.com/notes/3596850 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-42984 – Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application)
https://notcve.org/view.php?id=CVE-2025-42984
10 Jun 2025 — SAP S/4HANA Manage Central Purchase Contract does not perform necessary authorization checks for an authenticated user. Due to this, an attacker could execute the function import on the entity making it inaccessible for unrestricted user. This has low impact on confidentiality and availability of the application. • https://me.sap.com/notes/3441087 • CWE-862: Missing Authorization •
CVSS: 8.7EPSS: 0%CPEs: 11EXPL: 0CVE-2025-43010 – Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise(SCM Master Data Layer (MDL))
https://notcve.org/view.php?id=CVE-2025-43010
13 May 2025 — SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) allows an authenticated attacker with SAP standard authorization to execute a certain function module remotely and replace arbitrary ABAP programs, including SAP standard programs. This is due to lack of input validation and no authorization checks. This has low Confidentiality impact but high impact on integrity and availability to the application. • https://me.sap.com/notes/3600859 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-27429 – Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
https://notcve.org/view.php?id=CVE-2025-27429
08 Apr 2025 — SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. SAP S/4HANA permite a un atacante con privilegios de usuario explotar una vulnerabilidad en el módulo d... • https://me.sap.com/notes/3581961 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 3.5EPSS: 0%CPEs: 22EXPL: 0CVE-2025-27430 – Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)
https://notcve.org/view.php?id=CVE-2025-27430
11 Mar 2025 — Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability • https://me.sap.com/notes/3561861 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-26656 – Missing Authorization check in S/4HANA (Manage Purchasing Info Records)
https://notcve.org/view.php?id=CVE-2025-26656
11 Mar 2025 — OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application. • https://me.sap.com/notes/3474392 • CWE-862: Missing Authorization •