CVE-2026-0488
Undergoing Analysis Undergoing Analysis - In Progress

SQL Injection in SAP CRM and S/4HANA Enables Full Database Compromise

Vulnerability report for CVE-2026-0488, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-10

Last updated on: 2026-02-17

Assigner: SAP SE

Description

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-10
Last Modified
2026-02-17
Generated
2026-07-06
AI Q&A
2026-02-10
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 18 associated CPEs
Vendor Product Version / Range
sap s/4hana 102
sap s/4hana 103
sap s/4hana 104
sap s/4hana 105
sap s/4hana 106
sap s/4hana 107
sap s/4hana 108
sap netweaver_application_server_abap 700
sap s/4hana 109
sap webclient_ui_framework 700
sap webclient_ui_framework 701
sap webclient_ui_framework 730
sap webclient_ui_framework 731
sap webclient_ui_framework 746
sap webclient_ui_framework 747
sap webclient_ui_framework 748
sap webclient_ui_framework 800
sap webclient_ui_framework 801

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in SAP CRM and SAP S/4HANA's Scripting Editor where an authenticated attacker can exploit a flaw in a generic function module call.

By exploiting this flaw, the attacker can execute unauthorized critical functionalities, including running arbitrary SQL statements.

This means the attacker can potentially take full control over the database.

Impact Analysis

The impact of this vulnerability is very high as it can lead to a full database compromise.

  • Confidentiality: Sensitive data in the database can be exposed.
  • Integrity: Data can be altered or corrupted by the attacker.
  • Availability: The database or services relying on it could be disrupted or made unavailable.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0488. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart