Filtered by vendor Sap Subscriptions
Filtered by product Netweaver Subscriptions
Total 128 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2009-2932 1 Sap 1 Netweaver 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in uddiclient/process in the UDDI client in SAP NetWeaver Application Server (Java) 7.0 allows remote attackers to inject arbitrary web script or HTML via the TModel Key field.
CVE-2008-1846 1 Sap 1 Netweaver 2026-04-23 N/A
The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or Secure Editing) parameter, which allows remote attackers to conduct cross-site scripting (XSS) attacks by entering feedback for a file.
CVE-2008-3358 2 Microsoft, Sap 2 Internet Explorer, Netweaver 2026-04-23 N/A
Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP NetWeaver portal, when Internet Explorer 7.0.5730 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted URI, which causes the XSS payload to be reflected in a text/plain document.
CVE-2026-23685 2 Sap, Sap Se 2 Netweaver, Sap Netweaver (jms Service) 2026-04-18 4.4 Medium
Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected.
CVE-2026-0506 1 Sap 6 Abap Platform, Application Server, Netweaver and 3 more 2026-04-18 8.1 High
Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.
CVE-2026-0507 1 Sap 5 Application Server, Netweaver, Netweaver Abap and 2 more 2026-04-18 8.4 High
Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability.
CVE-2025-42875 1 Sap 2 Netweaver, Sap Netweaver 2026-04-15 6.6 Medium
The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker to reuse authorization tokens, violating secure authentication practices causing low impact on Confidentiality, Integrity and Availability of the application.
CVE-2025-42935 1 Sap 5 Abap Platform, As Abap, Netweaver and 2 more 2026-04-15 4.1 Medium
The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the confidentiality of the application, with no impact on integrity or availability.
CVE-2025-42927 1 Sap 5 Java As, Netweaver, Netweaver As Abap and 2 more 2026-04-15 3.4 Low
SAP NetWeaver AS Java application uses Adobe Document Service, installed with a vulnerable version of OpenSSL.Successful exploitation of known vulnerabilities in the outdated OpenSSL library would allow user with high system privileges to access and modify system information.This vulnerability has a low impact on confidentiality and integrity, with no impact on availability.
CVE-2025-42945 1 Sap 4 Abap Platform, Application Server, As Abap and 1 more 2026-04-15 6.1 Medium
SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability.
CVE-2024-47580 1 Sap 1 Netweaver 2026-04-15 6.8 Medium
An attacker authenticated as an administrator can use an exposed webservice to create a PDF with an embedded attachment. By specifying the file to be an internal server file and subsequently downloading the generated PDF, the attacker can read any file on the server with no effect on integrity or availability.
CVE-2025-42948 1 Sap 4 Abap Platform, Netweaver, Netweaver Abap and 1 more 2026-04-15 6.1 Medium
Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s page generation, resulting in the creation of malicious content. When this malicious content gets executed, the attacker could gain the ability to access/modify information within the scope of victim�s browser.
CVE-2025-42976 1 Sap 2 Netweaver, Netweaver Application Server For Abap 2026-04-15 8.1 High
SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There is no ability to modify any information.
CVE-2025-42874 1 Sap 2 Netweaver, Sap Netweaver 2026-04-15 7.9 High
SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control. This has high impact on integrity and availability, with no impact on confidentiality.
CVE-2024-33006 1 Sap 1 Netweaver 2026-04-15 9.6 Critical
An unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise system. 
CVE-2025-42953 1 Sap 1 Netweaver 2026-04-15 8.1 High
SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.
CVE-2024-32733 1 Sap 1 Netweaver 2026-04-15 6.1 Medium
Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify sensitive information with no impact on availability of the application
CVE-2025-42925 1 Sap 4 Java As, Netweaver, Netweaver Java and 1 more 2026-04-15 4.3 Medium
Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close to the same time, the attacker could determine a desired identifier which could enable them to access limited system information. This poses a low risk to confidentiality without impacting the integrity or availability of the service.
CVE-2025-42958 1 Sap 2 Netweaver, Sap Netweaver 2026-04-15 9.1 Critical
Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities. This results in a high impact on the confidentiality, integrity, and availability of the application.
CVE-2025-42922 1 Sap 4 Java As, Netweaver, Netweaver Java and 1 more 2026-04-15 9.9 Critical
SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise of confidentiality, integrity and availability of the system.