Sap Netweaver Application Server Abap — known CVE vulnerabilities
Every CVE whose affected-product data names Sap Netweaver Application Server Abap, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVE-2026-0488 — CVSS 9.9 (critical): An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute…
CVE-2021-27610 — CVSS 9.8 (critical): SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 804, does not create…
CVE-2023-40309 — CVSS 9.8 (critical): SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an…
CVE-2020-6275 — CVSS 9.8 (critical): SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request…
CVE-2021-44231 — CVSS 9.8 (critical): Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby…
CVE-2021-40499 — CVSS 9.8 (critical): Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI…
CVE-2023-27500 — CVSS 9.6 (critical): An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files…
CVE-2023-27269 — CVSS 9.6 (critical): SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757…
CVE-2023-0014 — CVSS 9.0 (critical): SAP NetWeaver ABAP Server and ABAP Platform - versions SAP_BASIS 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756…
CVE-2020-6296 — CVSS 8.8 (high): SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to…
CVE-2022-29611 — CVSS 8.8 (high): SAP NetWeaver Application Server for ABAP and ABAP Platform do not perform necessary authorization checks for an authenticated user…
CVE-2020-26819 — CVSS 8.8 (high): SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web…
CVE-2020-26818 — CVSS 8.8 (high): SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web…
CVE-2019-0257 — CVSS 8.8 (high): Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from…
CVE-2021-38178 — CVSS 8.8 (high): The software logistics system of SAP NetWeaver AS ABAP and ABAP Platform versions - 700, 701, 702, 710, 730, 731, 740, 750, 751, 752, 753…
CVE-2022-41214 — CVSS 8.7 (high): Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges…
CVE-2023-27501 — CVSS 8.7 (high): SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an…
CVE-2026-0506 — CVSS 8.1 (high): Due to a Missing Authorization Check vulnerability in Application Server ABAP and ABAP Platform, an authenticated attacker could misuse an…
CVE-2020-26832 — CVSS 7.6 (high): SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752…
CVE-2022-22540 — CVSS 7.5 (high): SAP NetWeaver AS ABAP (Workplace Server) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787, allows an attacker to…
CVE-2021-33677 — CVSS 7.5 (high): SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 702, 730, 731, 804, 740, 750, 784, expose functions to external which can lead…
CVE-2020-6240 — CVSS 7.5 (high): SAP NetWeaver AS ABAP (Web Dynpro ABAP), versions (SAP_UI 750, 752, 753, 754 and SAP_BASIS 700, 710, 730, 731, 804) allows an…
CVE-2023-40308 — CVSS 7.5 (high): SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption…
CVE-2021-21446 — CVSS 7.5 (high): SAP NetWeaver AS ABAP, versions 740, 750, 751, 752, 753, 754, 755, allows an unauthenticated attacker to prevent legitimate users from…
CVE-2021-38181 — CVSS 7.5 (high): SAP NetWeaver AS ABAP and ABAP Platform - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, allows an attacker to…
CVE-2023-26459 — CVSS 7.4 (high): Due to improper input controls In SAP NetWeaver AS for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754…
CVE-2021-27611 — CVSS 6.7 (medium): SAP NetWeaver AS ABAP, versions - 700, 701, 702, 730, 731, allow a high privileged attacker to inject malicious code by executing an ABAP…
CVE-2021-44235 — CVSS 6.7 (medium): Two methods of a utility class in SAP NetWeaver AS ABAP - versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755…
CVE-2023-25618 — CVSS 6.5 (medium): SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757…
CVE-2021-27603 — CVSS 6.5 (medium): An RFC enabled function module SPI_WAIT_MILLIS in SAP NetWeaver AS ABAP, versions - 731, 740, 750, allows to keep a work process busy for…
CVE-2021-33678 — CVSS 6.5 (medium): A function module of SAP NetWeaver AS ABAP (Reconciliation Framework), versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752…
CVE-2024-33001 — CVSS 6.5 (medium): SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An…
CVE-2023-28763 — CVSS 6.5 (medium): SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, allows an attacker authenticated…
CVE-2026-40135 — CVSS 6.5 (medium): An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an…
CVE-2023-27270 — CVSS 6.5 (medium): SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757…
CVE-2020-6270 — CVSS 6.5 (medium): SAP NetWeaver AS ABAP (Banking Services), versions - 710, 711, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, does not perform necessary…
CVE-2026-24316 — CVSS 6.4 (medium): SAP NetWeaver Application Server for ABAP provides an ABAP Report for testing purposes, which allows to send HTTP requests to arbitrary…
CVE-2026-24309 — CVSS 6.4 (medium): Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP…
CVE-2021-21473 — CVSS 6.3 (medium): SAP NetWeaver AS ABAP and ABAP Platform, versions - 700, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, contains function…
CVE-2020-26835 — CVSS 6.1 (medium): SAP NetWeaver AS ABAP, versions - 740, 750, 751, 752, 753, 754 , does not sufficiently encode URL which allows an attacker to input…
CVE-2022-39799 — CVSS 6.1 (medium): An attacker with no prior authentication could craft and send malicious script to SAP GUI for HTML within Fiori Launchpad, resulting in…
CVE-2023-23858 — CVSS 6.1 (medium): Due to insufficient input validation, SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757…
CVE-2023-23859 — CVSS 6.1 (medium): SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated…
CVE-2023-23860 — CVSS 6.1 (medium): SAP NetWeaver AS for ABAP and ABAP Platform - versions 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, allows an unauthenticated…
CVE-2023-24522 — CVSS 6.1 (medium): Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an…
CVE-2021-21490 — CVSS 6.1 (medium): SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode…
CVE-2023-27499 — CVSS 6.1 (medium): SAP GUI for HTML - versions KERNEL 7.22, 7.53, 7.54, 7.77, 7.81, 7.85, 7.89, 7.91, KRNL64UC, 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT does not…
CVE-2026-34257 — CVSS 6.1 (medium): Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that…
CVE-2023-0013 — CVSS 6.1 (medium): The ABAP Keyword Documentation of SAP NetWeaver Application Server - versions 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, for…
CVE-2023-23853 — CVSS 6.1 (medium): An unauthenticated attacker in AP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 702, 731, 740, 750, 751, 752…
CVE-2019-0321 — CVSS 6.1 (medium): ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in…
CVE-2023-35874 — CVSS 6.0 (medium): SAP NetWeaver Application Server ABAP and ABAP Platform - version KRNL64NUC, 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT…
CVE-2023-40624 — CVSS 5.5 (medium): SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758…
CVE-2022-35294 — CVSS 5.4 (medium): An attacker with basic business user privileges could craft and upload a malicious file to SAP NetWeaver Application Server ABAP, which is…
CVE-2021-33665 — CVSS 5.4 (medium): SAP NetWeaver Application Server ABAP (Applications based on SAP GUI for HTML), versions - KRNL64NUC - 7.49, KRNL64UC - 7.49,7.53, KERNEL -…
CVE-2022-26102 — CVSS 5.4 (medium): Due to missing authorization check, SAP NetWeaver Application Server for ABAP - versions 700, 701, 702, 731, allows an authenticated…
CVE-2022-29610 — CVSS 5.4 (medium): SAP NetWeaver Application Server ABAP allows an authenticated attacker to upload malicious files and delete (theme) data, which could…
CVE-2021-33664 — CVSS 5.4 (medium): SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702…
CVE-2021-40495 — CVSS 5.3 (medium): There are multiple Denial-of Service vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 740, 750…
CVE-2023-41366 — CVSS 5.3 (medium): Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89…
CVE-2021-33684 — CVSS 5.3 (medium): SAP NetWeaver AS ABAP and ABAP Platform, versions - KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT…
CVE-2026-27688 — CVSS 5.0 (medium): Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could…
CVE-2022-41212 — CVSS 4.9 (medium): Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges…
CVE-2023-37492 — CVSS 4.9 (medium): SAP NetWeaver Application Server ABAP and ABAP Platform - versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS…
CVE-2021-40504 — CVSS 4.9 (medium): A certain template role in SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 710, 711, 730, 731, 740…
CVE-2024-41732 — CVSS 4.7 (medium): SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls…
CVE-2026-27682 — CVSS 4.7 (medium): Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server…
CVE-2022-41215 — CVSS 4.7 (medium): SAP NetWeaver ABAP Server and ABAP Platform allows an unauthenticated attacker to redirect users to a malicious site due to insufficient…
CVE-2021-40496 — CVSS 4.3 (medium): SAP Internet Communication framework (ICM) - versions 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 785, allows an…
CVE-2020-6371 — CVSS 4.3 (medium): User enumeration vulnerability can be exploited to get a list of user accounts and personal user information can be exposed in SAP…
CVE-2020-6310 — CVSS 4.3 (medium): Improper access control in SOA Configuration Trace component in SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 702, 730, 731…
CVE-2024-41734 — CVSS 4.3 (medium): Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an…
CVE-2020-6299 — CVSS 4.3 (medium): SAP NetWeaver (ABAP Server) and ABAP Platform, versions - 740, 750, 751, 752, 753, 754, 755, allows a business user to access the list of…
CVE-2021-42067 — CVSS 4.3 (medium): In SAP NetWeaver AS for ABAP and ABAP Platform - versions 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786, an attacker…
CVE-2023-49581 — CVSS 4.1 (medium): SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and…
CVE-2024-21738 — CVSS 4.1 (medium): SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site…
CVE-2023-23854 — CVSS 3.8 (low): SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, does not perform necessary…
CVE-2026-24310 — CVSS 3.5 (low): Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP…
CVE-2026-27680 — CVSS 3.1 (low): Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom…
CVE-2020-6280 — CVSS 2.7 (low): SAP NetWeaver (ABAP Server) and ABAP Platform, versions 731, 740, 750, allows an attacker with admin privileges to access certain files…
CVE-2024-41728 — CVSS 2.7 (low): Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer…
CVE-2024-44114 — CVSS 2.0 (low): SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over…