CVE-2026-0488 PUBLISHED

Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)

Assigner: sap
Reserved: 09.12.2025 Published: 10.02.2026 Updated: 10.02.2026

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP CRM and SAP S/4HANA (Scripting Editor)
Versions	Default: unaffected Version S4FND 102 is affected Version 103 is affected Version 104 is affected Version 105 is affected Version 106 is affected Version 107 is affected Version 108 is affected Version 109 is affected Version SAP_ABA 700 is affected Version WEBCUIF 700 is affected Version 701 is affected Version 730 is affected Version 731 is affected Version 746 is affected Version 747 is affected Version 748 is affected Version 800 is affected Version 801 is affected

CVE-2026-0488 PUBLISHED

Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)

Metrics

Product Status

References

Problem Types