CVE-2026-0488
Undergoing Analysis Undergoing Analysis - In Progress
SQL Injection in SAP CRM and S/4HANA Enables Full Database Compromise

Publication date: 2026-02-10

Last updated on: 2026-02-17

Assigner: SAP SE

Description
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-10
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-02-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0488
EUVD
EUVD-2026-6392
Affected Vendors & Products
Showing 18 associated CPEs
Vendor Product Version / Range
sap s/4hana 102
sap s/4hana 103
sap s/4hana 104
sap s/4hana 105
sap s/4hana 106
sap s/4hana 107
sap s/4hana 108
sap netweaver_application_server_abap 700
sap s/4hana 109
sap webclient_ui_framework 700
sap webclient_ui_framework 701
sap webclient_ui_framework 730
sap webclient_ui_framework 731
sap webclient_ui_framework 746
sap webclient_ui_framework 747
sap webclient_ui_framework 748
sap webclient_ui_framework 800
sap webclient_ui_framework 801
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in SAP CRM and SAP S/4HANA's Scripting Editor where an authenticated attacker can exploit a flaw in a generic function module call.

By exploiting this flaw, the attacker can execute unauthorized critical functionalities, including running arbitrary SQL statements.

This means the attacker can potentially take full control over the database.

Impact Analysis

The impact of this vulnerability is very high as it can lead to a full database compromise.

  • Confidentiality: Sensitive data in the database can be exposed.
  • Integrity: Data can be altered or corrupted by the attacker.
  • Availability: The database or services relying on it could be disrupted or made unavailable.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0488. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart