CVE-2020-6238 — CVSS 9.3 (critical): SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading…
CVE-2023-39439 — CVSS 8.8 (high): SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without…
CVE-2023-42481 — CVSS 8.1 (high): In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can…
CVE-2019-0322 — CVSS 7.5 (high): SAP Commerce Cloud (previously known as SAP Hybris Commerce), (HY_COM, versions 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), allows an attacker to…
CVE-2024-33003 — CVSS 7.4 (high): Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses…
CVE-2021-33666 — CVSS 6.1 (medium): When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances…
CVE-2020-6201 — CVSS 6.1 (medium): The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to…
CVE-2026-23684 — CVSS 5.9 (medium): A race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in…
CVE-2023-37486 — CVSS 5.9 (medium): Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access…
CVE-2020-6200 — CVSS 5.4 (medium): The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a…
CVE-2020-6272 — CVSS 5.4 (medium): SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and…
CVE-2021-21445 — CVSS 5.4 (medium): SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP…
CVE-2026-24321 — CVSS 5.3 (medium): SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to…
CVE-2020-26809 — CVSS 5.3 (medium): SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the…
CVE-2020-6232 — CVSS 5.3 (medium): SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization…
CVE-2020-6363 — CVSS 4.6 (medium): SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions…