CVE-2026-0488

Published: Feb 10, 2026Modified: Feb 17, 2026

9.9

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 3.1 / Impact: 6.0

Source: NVD

Description

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

Affected (18)

Products: Sap: Netweaver Application Server Abap, S/4hana, Webclient Ui Framework

Sap

3 products

Netweaver Application Server Abap

S/4hana

Webclient Ui Framework

Configuration A

18 vulnerable

Vulnerable Software	Affected Versions
Sap Netweaver Application Server Abap	Version 700
Sap S/4hana	Version 102
Sap S/4hana	Version 103
Sap S/4hana	Version 104
Sap S/4hana	Version 105
Sap S/4hana	Version 106
Sap S/4hana	Version 107
Sap S/4hana	Version 108
Sap S/4hana	Version 109
Sap Webclient Ui Framework	Version 700
Sap Webclient Ui Framework	Version 701
Sap Webclient Ui Framework	Version 730
Sap Webclient Ui Framework	Version 731
Sap Webclient Ui Framework	Version 746
Sap Webclient Ui Framework	Version 747
Sap Webclient Ui Framework	Version 748
Sap Webclient Ui Framework	Version 800
Sap Webclient Ui Framework	Version 801

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://me.sap.com/notes/3697099

Source: cna@sap.com

Permissions Required

https://url.sap/sapsecuritypatchday

Source: cna@sap.com

Vendor Advisory

Timeline

No history available yet.