{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0488", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-12-09T22:06:31.935Z", "datePublished": "2026-02-10T03:01:08.999Z", "dateUpdated": "2026-02-26T15:04:14.152Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP CRM and SAP S/4HANA (Scripting Editor)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "S4FND 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "SAP_ABA 700"}, {"status": "affected", "version": "WEBCUIF 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "730"}, {"status": "affected", "version": "731"}, {"status": "affected", "version": "746"}, {"status": "affected", "version": "747"}, {"status": "affected", "version": "748"}, {"status": "affected", "version": "800"}, {"status": "affected", "version": "801"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.</p>"}], "value": "An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:01:08.999Z"}, "references": [{"url": "https://me.sap.com/notes/3697099"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0488", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:12.805253Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:14.152Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0488", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:12.805253Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:42:53.926Z"}}], "cna": {"title": "Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP CRM and SAP S/4HANA (Scripting Editor)", "versions": [{"status": "affected", "version": "S4FND 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "SAP_ABA 700"}, {"status": "affected", "version": "WEBCUIF 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "730"}, {"status": "affected", "version": "731"}, {"status": "affected", "version": "746"}, {"status": "affected", "version": "747"}, {"status": "affected", "version": "748"}, {"status": "affected", "version": "800"}, {"status": "affected", "version": "801"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3697099"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.", "supportingMedia": [{"type": "text/html", "value": "<p>An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:01:08.999Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0488", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:04:14.152Z", "dateReserved": "2025-12-09T22:06:31.935Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-02-10T03:01:08.999Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:*", "matchCriteriaId": "C5A3C915-0E5F-4B1A-B1EB-5ADEA517F620", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4hana:102:*:*:*:*:*:*:*", "matchCriteriaId": "55BACB30-A607-410E-AB05-E991CC19CE12", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4hana:103:*:*:*:*:*:*:*", "matchCriteriaId": "95A0C742-4CBD-46B8-B2B3-5949EFC82A6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4hana:104:*:*:*:*:*:*:*", "matchCriteriaId": "14A540DA-F234-4EEA-ADE8-4F6306A86C1E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4hana:105:*:*:*:*:*:*:*", "matchCriteriaId": "088EF501-76F9-44EC-B8B9-AED6F6096C03", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4hana:106:*:*:*:*:*:*:*", "matchCriteriaId": "E0023602-B509-4B20-9B29-20EEE88E1692", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4hana:107:*:*:*:*:*:*:*", "matchCriteriaId": "489A03BA-B2B1-4271-9A0B-B514051807DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4hana:108:*:*:*:*:*:*:*", "matchCriteriaId": "527C39A2-8777-4334-B4D4-A738442A0FB9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s\\/4hana:109:*:*:*:*:*:*:*", "matchCriteriaId": "AA935EBA-7508-4993-B07A-48EBFB267914", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:webclient_ui_framework:700:*:*:*:*:*:*:*", "matchCriteriaId": "8E58BF28-5CE1-47C3-8DE3-72BEA73DC3B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:webclient_ui_framework:701:*:*:*:*:*:*:*", "matchCriteriaId": "FFE1D9D8-4942-4F90-AE5C-D82A01917F9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:webclient_ui_framework:730:*:*:*:*:*:*:*", "matchCriteriaId": "F2CC76B6-E96D-42E1-8EA4-38BBBDD1DE2A", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:webclient_ui_framework:731:*:*:*:*:*:*:*", "matchCriteriaId": "CC693B01-4B67-4A72-A6CB-F090FF95A99B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:webclient_ui_framework:746:*:*:*:*:*:*:*", "matchCriteriaId": "B3DF2127-D217-432B-AD0A-3A83DEAA3B04", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:webclient_ui_framework:747:*:*:*:*:*:*:*", "matchCriteriaId": "F58D83D4-822A-42FC-841E-43A174AECE85", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:webclient_ui_framework:748:*:*:*:*:*:*:*", "matchCriteriaId": "808207D6-794F-4D38-9E22-233A1E584F75", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:webclient_ui_framework:800:*:*:*:*:*:*:*", "matchCriteriaId": "5B6E6ECF-6417-4B17-AAB8-1B8D7DB222C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:webclient_ui_framework:801:*:*:*:*:*:*:*", "matchCriteriaId": "BD4F358E-8664-41BE-83B6-5A81FC974F4F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability."}, {"lang": "es", "value": "Un atacante autenticado en SAP CRM y SAP S/4HANA (Editor de scripts) podr\u00eda explotar una vulnerabilidad en una llamada a un m\u00f3dulo de funci\u00f3n gen\u00e9rico y ejecutar funcionalidades cr\u00edticas no autorizadas, lo que incluye la capacidad de ejecutar una sentencia SQL arbitraria. Esto conduce a un compromiso total de la base de datos con alto impacto en la confidencialidad, integridad y disponibilidad."}], "id": "CVE-2026-0488", "lastModified": "2026-02-17T16:10:03.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "cna@sap.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-10T04:16:01.710", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3697099"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4FND 102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "103"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "104"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "105"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "106"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "107"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "108"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "109"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAP_ABA 700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "WEBCUIF 700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "701"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "730"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "731"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "746"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "747"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "748"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "800"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "801"}}], "product": "sap_crm_and_sap_s/4hana_(scripting_editor)", "vendor": "sap_se"}], "analysis": {"en": {"generated_at": "2026-04-17T21:01:34.780533+00:00", "value": {"mitigation_remediation": ["Apply SAP Note 3697099 to patch the affected function module.", "Restrict access to the Scripting Editor and the generic function module to a minimal set of authorized users and roles.", "Enable detailed logging and monitor for unusual usage patterns or abnormal database queries originating from the Scripting Editor."], "summary": {"action": "Immediate Patch", "impact": "Full Database Compromise"}, "threat_synthesis": {"affected_systems": "Affected products include SAP CRM and SAP S/4HANA (Scripting Editor) from SAP. No specific version range is listed in the available data; therefore all releases that contain the Scripting Editor component remain under consideration.", "description_and_impact": "The vulnerability allows an authenticated user to exploit a flaw in a generic function module call within SAP CRM and SAP S/4HANA\u2019s Scripting Editor, enabling execution of arbitrary SQL statements. This results in a full compromise of the underlying database, causing severe loss of confidentiality, integrity, and availability.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.9, indicating critical severity. EPSS indicates a low exploitation probability, with a score of less than 1 percent. The vulnerability is not yet listed in the CISA KEV catalog. The attack requires authenticated access to the system, meaning an attacker must possess valid credentials or compromise an existing user account. If exploited, the attacker can gain complete control over the database, elevating the risk dramatically for systems that host sensitive data and rely on the affected components."}}}}, "created": "2026-02-10T11:34:44.841756+00:00", "updated": "2026-04-17T21:15:27.372132+00:00", "vendors": ["sap_se", "sap_se$PRODUCT$sap_crm_and_sap_s/4hana_(scripting_editor)"]}