CVE-2013-6822 — CVSS 10.0 (critical): GRMGApp in SAP NetWeaver allows remote attackers to have unspecified impact and attack vectors, related to an XML External Entity (XXE)…
CVE-2011-1517 — CVSS 9.8 (critical): SAP NetWeaver 7.0 allows Remote Code Execution and Denial of Service caused by an error in the DiagTraceHex() function. By sending a…
CVE-2016-10311 — CVSS 9.8 (critical): Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service () by sending a crafted…
CVE-2013-1592 — CVSS 9.8 (critical): A Buffer Overflow vulnerability exists in the Message Server service _MsJ2EE_AddStatistics() function when sending specially crafted SAP…
CVE-2012-2611 — CVSS 9.3 (critical): The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP…
CVE-2016-7435 — CVSS 9.1 (critical): The (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV, and (3) SCTC_TMS_MAINTAIN_ALOG functions in the SCTC subpackage in SAP…
CVE-2023-36922 — CVSS 9.1 (critical): Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to…
CVE-2020-6203 — CVSS 9.1 (critical): SAP NetWeaver UDDI Server (Services Registry), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; allows an attacker to exploit…
CVE-2019-0351 — CVSS 8.8 (high): A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40…
CVE-2018-2462 — CVSS 8.8 (high): In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWeaver BI 7.30, 7.31. 7.40, 7.41, 7.50, does not sufficiently validate…
CVE-2021-21481 — CVSS 8.8 (high): The MigrationService, which is part of SAP NetWeaver versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform an authorization…
CVE-2018-2477 — CVSS 8.8 (high): Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document…
CVE-2018-2363 — CVSS 8.8 (high): SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to…
CVE-2023-29186 — CVSS 8.7 (high): In SAP NetWeaver (BI CONT ADDON) - versions 707, 737, 747, 757, an attacker can exploit a directory traversal flaw in a report to upload…
CVE-2016-4014 — CVSS 8.6 (high): XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to cause a denial of…
CVE-2016-2389 — CVSS 7.5 (high): Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0…
CVE-2022-28773 — CVSS 7.5 (high): Due to an uncontrolled recursion in SAP Web Dispatcher and SAP Internet Communication Manager, the application may crash, leading to denial…
CVE-2022-28772 — CVSS 7.5 (high): By overlong input values an attacker may force overwrite of the internal program stack in SAP Web Dispatcher - versions 7.53, 7.77, 7.81…
CVE-2013-1593 — CVSS 7.5 (high): A Denial of Service vulnerability exists in the WRITE_C function in the msg_server.exe module in SAP NetWeaver 2004s, 7.01 SR1, 7.02 SP06…
CVE-2013-5723 — CVSS 7.5 (high): SQL injection vulnerability in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL commands via unspecified vectors…
CVE-2013-6869 — CVSS 7.5 (high): SQL injection vulnerability in the SRTT_GET_COUNT_BEFORE_KEY_RFC function in SAP NetWeaver 7.30 allows remote attackers to execute…
CVE-2013-7094 — CVSS 7.5 (high): SQL injection vulnerability in the RSDDCVER_COUNT_TAB_COLS function in SAP NetWeaver 7.30 allows remote attackers to execute arbitrary SQL…
CVE-2013-7364 — CVSS 7.5 (high): An unspecified J2EE core service in the J2EE Engine in SAP NetWeaver does not properly restrict access, which allows remote attackers to…
CVE-2017-9845 — CVSS 7.5 (high): disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attackers to cause a denial of service (resource consumption) via a crafted…
CVE-2017-9844 — CVSS 7.5 (high): SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted…
CVE-2017-5372 — CVSS 7.5 (high): The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE component in SAP AS JAVA allows remote attackers to obtain sensitive system…
CVE-2014-4003 — CVSS 7.5 (high): The System Landscape Directory (SLD) in SAP NetWeaver allows remote attackers to modify information via vectors related to adding a system.
CVE-2014-8587 — CVSS 7.5 (high): SAPCRYPTOLIB before 5.555.38, SAPSECULIB, and CommonCryptoLib before 8.4.30, as used in SAP NetWeaver AS for ABAP and SAP HANA, allows…
CVE-2016-4551 — CVSS 7.5 (high): The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote attackers to spoof IP addresses…
CVE-2016-4015 — CVSS 7.5 (high): The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a…
CVE-2015-5067 — CVSS 7.5 (high): The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetWeaver have hardcoded credentials, which allows remote attackers to…
CVE-2016-3635 — CVSS 7.5 (high): SAP Netweaver 7.4 allows remote authenticated users to bypass an intended Unified Connectivity (UCON) access control list and execute…
CVE-2015-6662 — CVSS 6.8 (medium): XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other…
CVE-2020-6285 — CVSS 6.5 (medium): SAP NetWeaver - XML Toolkit for JAVA (ENGINEAPI) (versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50), under certain conditions allows an…
CVE-2022-28217 — CVSS 6.5 (medium): Some part of SAP NetWeaver (EP Web Page Composer) does not sufficiently validate an XML document accepted from an untrusted source, which…
CVE-2015-2815 — CVSS 6.5 (medium): Buffer overflow in the C_SAPGPARAM function in the NetWeaver Dispatcher in SAP KERNEL 7.00 (7000.52.12.34966) and 7.40 (7400.12.21.30308)…
CVE-2014-6252 — CVSS 6.5 (medium): Buffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.50294 in the Dispatcher in SAP NetWeaver 7.00 and 7.20 allows remote…
CVE-2013-6823 — CVSS 6.4 (medium): GRMGApp in SAP NetWeaver allows remote attackers to bypass intended access restrictions via unspecified vectors.
CVE-2023-33984 — CVSS 6.4 (medium): SAP NetWeaver (Design Time Repository) - version 7.50, returns an unfavorable content type for some versioned files, which could allow an…
CVE-2018-2464 — CVSS 6.1 (medium): SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored…
CVE-2022-22534 — CVSS 6.1 (medium): Due to insufficient encoding of user input, SAP NetWeaver allows an unauthenticated attacker to inject code that may expose sensitive data…
CVE-2016-1911 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via…
CVE-2016-2387 — CVSS 6.1 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote…
CVE-2023-27499 — CVSS 6.1 (medium): SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not…
CVE-2020-6184 — CVSS 6.1 (medium): Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51…
CVE-2023-0021 — CVSS 6.1 (medium): Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to…
CVE-2023-33985 — CVSS 6.1 (medium): SAP NetWeaver Enterprise Portal - version 7.50, does not sufficiently encode user-controlled inputs over the network, resulting in…
CVE-2018-2470 — CVSS 6.1 (medium): In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently…
CVE-2018-2476 — CVSS 6.1 (medium): Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site.
CVE-2021-38183 — CVSS 6.1 (medium): SAP NetWeaver - versions 700, 701, 702, 730, does not sufficiently encode user-controlled inputs, allowing an attacker to cause a potential…
CVE-2019-0248 — CVSS 5.9 (medium): Under certain conditions SAP Gateway of ABAP Application Server (fixed in SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5) allows an…
CVE-2013-6814 — CVSS 5.8 (medium): The J2EE Engine in SAP NetWeaver 6.40, 7.02, and earlier allows remote attackers to redirect users to arbitrary web sites, conduct phishing…
CVE-2020-6181 — CVSS 5.8 (medium): Under some circumstances the SAML SSO implementation in the SAP NetWeaver (SAP_BASIS versions 702, 730, 731, 740 and SAP ABAP Platform…
CVE-2020-6185 — CVSS 5.4 (medium): Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51…
CVE-2024-25644 — CVSS 5.3 (medium): Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted…
CVE-2023-41367 — CVSS 5.3 (medium): Due to missing authentication check in webdynpro application, an unauthorized user in SAP NetWeaver (Guided Procedures) - version 7.50, can…
CVE-2024-27898 — CVSS 5.3 (medium): SAP NetWeaver application, due to insufficient input validation, allows an attacker to send a crafted request from a vulnerable web…
CVE-2016-1910 — CVSS 5.3 (medium): The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security…
CVE-2014-3787 — CVSS 5.0 (medium): SAP NetWeaver 7.20 and earlier allows remote attackers to read arbitrary SAP Central User Administration (SAP CUA) tables via unspecified…
CVE-2014-1963 — CVSS 5.0 (medium): Unspecified vulnerability in Message Server in SAP NetWeaver 7.20 allows remote attackers to cause a denial of service via unknown attack…
CVE-2014-1961 — CVSS 5.0 (medium): Unspecified vulnerability in the Portal WebDynPro in SAP NetWeaver allows remote attackers to obtain sensitive path information via unknown…
CVE-2015-2817 — CVSS 5.0 (medium): The SAP Management Console in SAP NetWeaver 7.40 allows remote attackers to obtain sensitive information via the ReadProfile parameters…
CVE-2014-8592 — CVSS 5.0 (medium): Unspecified vulnerability in SAP Host Agent, as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to cause a denial of service…
CVE-2014-8591 — CVSS 5.0 (medium): Unspecified vulnerability in SAP Internet Communication Manager (ICM), as used in SAP NetWeaver 7.02 and 7.3, allows remote attackers to…
CVE-2014-1960 — CVSS 5.0 (medium): The Solution Manager in SAP NetWeaver does not properly restrict access, which allows remote attackers to obtain sensitive information via…
CVE-2014-0995 — CVSS 5.0 (medium): The Standalone Enqueue Server in SAP Netweaver 7.20, 7.01, and earlier allows remote attackers to cause a denial of service (uncontrolled…
CVE-2013-6821 — CVSS 5.0 (medium): Directory traversal vulnerability in the Exportability Check Service in SAP NetWeaver allows remote attackers to read arbitrary files via…
CVE-2013-6815 — CVSS 5.0 (medium): The SHSTI_UPLOAD_XML function in the Application Server for ABAP (AS ABAP) in SAP NetWeaver 7.31 and earlier allows remote attackers to…
CVE-2013-6244 — CVSS 5.0 (medium): The Live Update webdynpro application (webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP) in SAP NetWeaver 7.31 and earlier allows remote…
CVE-2013-5751 — CVSS 5.0 (medium): Directory traversal vulnerability in SAP NetWeaver 7.x allows remote attackers to read arbitrary files via unspecified vectors.
CVE-2013-3319 — CVSS 5.0 (medium): The GetComputerSystem method in the HostControl service in SAP Netweaver 7.03 allows remote attackers to obtain sensitive information via a…
CVE-2012-2612 — CVSS 5.0 (medium): The DiagTraceHex function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2…
CVE-2012-2514 — CVSS 5.0 (medium): The DiagiEventSource function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2…
CVE-2012-2513 — CVSS 5.0 (medium): The Diaginput function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows…
CVE-2012-2512 — CVSS 5.0 (medium): The DiagTraceStreamI function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2…
CVE-2012-2511 — CVSS 5.0 (medium): The DiagTraceAtoms function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2…
CVE-2012-1292 — CVSS 5.0 (medium): Unspecified vulnerability in the MessagingSystem servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about…
CVE-2012-1291 — CVSS 5.0 (medium): Unspecified vulnerability in the com.sap.aii.mdt.amt.web.AMTPageProcessor servlet in SAP NetWeaver 7.0 allows remote attackers to obtain…
CVE-2025-42968 — CVSS 5.0 (medium): SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to…
CVE-2026-23685 — CVSS 4.4 (medium): Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access…
CVE-2008-3358 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP NetWeaver portal, when Internet Explorer 7.0.5730 is used, allows…
CVE-2012-1290 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in b2b/auction/container.jsp in the Internet Sales (crm.b2b) module in SAP NetWeaver 7.0 allows…
CVE-2018-2434 — CVSS 4.3 (medium): A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which…
CVE-2009-2932 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in uddiclient/process in the UDDI client in SAP NetWeaver Application Server (Java) 7.0 allows…
CVE-2008-1846 — CVSS 4.3 (medium): The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or…
CVE-2010-1609 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in SAP NetWeaver 2004 before SP21 and 2004s before SP13 allows remote attackers to inject…
CVE-2014-1964 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component in SAP…
CVE-2014-1965 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in ISpeakAdapter in the Integration Repository in the SAP Exchange Infrastructure (BC-XI)…
CVE-2011-5263 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in RetrieveMailExamples in SAP NetWeaver 7.30 and earlier allows remote attackers to inject…
CVE-2011-5260 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in SAP/BW/DOC/METADATA in SAP NetWeaver allows remote attackers to inject arbitrary web script or…
CVE-2013-6819 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Performance Provider in SAP NetWeaver allows remote attackers to inject arbitrary web script or…
CVE-2013-6816 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the (1) JavaDumpService and (2) DataCollector servlets in SAP NetWeaver allow remote…
CVE-2011-4707 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the Virus Scan Interface in SAP Netweaver allow remote attackers to inject arbitrary…
CVE-2010-2904 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the System Landscape Directory (SLD) component 6.4 through 7.02 in SAP NetWeaver…
CVE-2024-22124 — CVSS 4.1 (medium): Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54…
CVE-2012-1289 — CVSS 4.0 (medium): Multiple directory traversal vulnerabilities in SAP NetWeaver 7.0 allow remote authenticated users to read arbitrary files via a .. (dot…
CVE-2016-7437 — CVSS 3.3 (low): SAP Netweaver 7.40 improperly logs (1) DUI and (2) DUJ events in the SAP Security Audit Log as non-critical, which might allow local users…
CVE-2023-32114 — CVSS 2.7 (low): SAP NetWeaver (Change and Transport System) - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an authenticated user…