Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-13
CVE-2026-0507 - SAP Application Server for ABAP and SAP NetWeaver RFCSDK Plugin
Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability.
PLUGIN
SAP Application Server for ABAP and SAP NetWeaver RFCSDK
CVE-2026-0507
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0511 - SAP Fiori App (Intercompany Balance Reconciliation) Plugin
SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted.
PLUGIN
SAP Fiori App (Intercompany Balance Reconciliation)
CVE-2026-0511
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0506 - SAP NetWeaver Application Server ABAP and ABAP Platform Plugin
Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an RFC function to execute form routines (FORMs) in the ABAP system. Successful exploitation could allow the attacker to write or modify data accessible via FORMs and invoke system functionality exposed via FORMs, resulting in a high impact on integrity and availability, while confidentiality remains unaffected.
PLUGIN
SAP NetWeaver Application Server ABAP and ABAP Platform
CVE-2026-0506
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0513 - SAP Supplier Relationship Management (SICF Handler in SRM Catalog) Plugin
Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted.
PLUGIN
SAP Supplier Relationship Management (SICF Handler in SRM Catalog)
CVE-2026-0513
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0504 - SAP Identity Management Plugin
Due to insufficient input handling, the SAP Identity Management REST interface allows an authenticated administrator to submit specially crafted malicious REST requests that are processed by JNDI operations without adequate input neutralization. This may lead to limited disclosure or modification of data, resulting in low impact on confidentiality and integrity, with no impact on application availability.
PLUGIN
SAP Identity Management
CVE-2026-0504
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0510 - NW AS Java UME User Mapping Plugin
The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application.
PLUGIN
NW AS Java UME User Mapping
CVE-2026-0510
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0501 - SAP S/4HANA Private Cloud and On-Premise (Financials � General Ledger) Plugin
Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application.
PLUGIN
SAP S/4HANA Private Cloud and On-Premise (Financials � General Ledger)
CVE-2026-0501
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0500 - SAP Wily Introscope Enterprise Manager (WorkStation) Plugin
Due to the usage of vulnerable third party component in SAP Wily Introscope Enterprise Manager (WorkStation), an unauthenticated attacker could create a malicious JNLP (Java Network Launch Protocol) file accessible by a public facing URL. When a victim clicks on the URL the accessed Wily Introscope Server could execute OS commands on the victim's machine. This could completely compromising confidentiality, integrity and availability of the system.
PLUGIN
SAP Wily Introscope Enterprise Manager (WorkStation)
CVE-2026-0500
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0498 - SAP S/4HANA (Private Cloud and On-Premise) Plugin
SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
PLUGIN
SAP S/4HANA (Private Cloud and On-Premise)
CVE-2026-0498
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0503 - SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) Plugin
Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability.
PLUGIN
SAP ERP Central Component and SAP S/4HANA (SAP EHS Management)
CVE-2026-0503
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0499 - SAP NetWeaver Enterprise Portal Plugin
SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject malicious scripts into a URL parameter. The scripts are reflected in the server response and executed in a user's browser when the crafted URL is visited, leading to theft of session information, manipulation of portal content, or user redirection, resulting in a low impact on the application's confidentiality and integrity, with no impact on availability.
PLUGIN
SAP NetWeaver Enterprise Portal
CVE-2026-0499
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0497 - Business Server Pages Application (Product Designer Web UI) Plugin
SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.
PLUGIN
Business Server Pages Application (Product Designer Web UI)
CVE-2026-0497
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-0492 - SAP HANA database Plugin
SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability.
PLUGIN
SAP HANA database
CVE-2026-0492
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0496 - SAP Fiori App (Intercompany Balance Reconciliation) Plugin
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application.
PLUGIN
SAP Fiori App (Intercompany Balance Reconciliation)
CVE-2026-0496
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0495 - SAP Fiori App (Intercompany Balance Reconciliation) Plugin
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.
PLUGIN
SAP Fiori App (Intercompany Balance Reconciliation)
CVE-2026-0495
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0494 - SAP Fiori App (Intercompany Balance Reconciliation) Plugin
Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.
PLUGIN
SAP Fiori App (Intercompany Balance Reconciliation)
CVE-2026-0494
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0493 - SAP Fiori App (Intercompany Balance Reconciliation) Plugin
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability.
PLUGIN
SAP Fiori App (Intercompany Balance Reconciliation)
CVE-2026-0493
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-0491 - SAP Landscape Transformation Plugin
SAP Landscape Transformation allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
PLUGIN
SAP Landscape Transformation
CVE-2026-0491
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22813 - Opencode Plugin
OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10.
PLUGIN
Opencode
CVE-2026-22813
Risk Score
Threat Entry
Updated 2026-01-21
CVE-2026-22812 - Opencode Plugin
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.
PLUGIN
Opencode
CVE-2026-22812
Risk Score