CVE-2026-24315 PUBLISHED

Path Traversal Vulnerability in SAP Fiori (launchpad)

Assigner: sap
Reserved: 21.01.2026 Published: 09.06.2026 Updated: 09.06.2026

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 4.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP Fiori (launchpad)
Versions	Default: unaffected Version SAP_UI 754 is affected Version 755 is affected Version 756 is affected Version 757 is affected Version 758 is affected Version 816 is affected

CVE-2026-24315 PUBLISHED

Path Traversal Vulnerability in SAP Fiori (launchpad)

Metrics

Product Status

References

Problem Types