CVE-2026-0488

Summary

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)S4FND 102affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)103affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)104affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)105affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)106affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)107affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)108affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)109affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)SAP_ABA 700affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)WEBCUIF 700affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)701affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)730affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)731affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)746affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)747affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)748affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)800affected
SAP_SESAP CRM and SAP S/4HANA (Scripting Editor)801affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References