Sap Netweaver Application Server Java — known CVE vulnerabilities
Every CVE whose affected-product data names Sap Netweaver Application Server Java, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVE-2022-22532 — CVSS 9.8 (critical): In SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49…
CVE-2019-0345 — CVSS 9.8 (critical): A remote unauthenticated attacker can abuse a web service in SAP NetWeaver Application Server for Java (Administrator System Overview)…
CVE-2020-6263 — CVSS 9.8 (critical): Standalone clients connecting to SAP NetWeaver AS Java via P4 Protocol, versions (SAP-JEECOR 7.00, 7.01; SERVERCOR 7.10, 7.11, 7.20, 7.30…
CVE-2021-37535 — CVSS 9.8 (critical): SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary…
CVE-2023-40309 — CVSS 9.8 (critical): SAP CommonCryptoLib does not perform necessary authentication checks, which may result in missing or wrong authorization checks for an…
CVE-2016-3974 — CVSS 9.1 (critical): XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to…
CVE-2024-22127 — CVSS 9.1 (critical): SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload…
CVE-2017-7717 — CVSS 8.8 (high): SQL injection vulnerability in the getUserUddiElements method in the ES UDDI component in SAP NetWeaver AS Java 7.4 allows remote…
CVE-2019-0389 — CVSS 8.8 (high): An administrator of SAP NetWeaver Application Server Java (J2EE-Framework), (corrected in versions 7.1, 7.2, 7.3, 7.31, 7.4, 7.5), may…
CVE-2015-8840 — CVSS 8.8 (high): The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to…
CVE-2017-8913 — CVSS 8.8 (high): The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity…
CVE-2024-24743 — CVSS 8.6 (high): SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a…
CVE-2020-6309 — CVSS 7.5 (high): SAP NetWeaver AS JAVA, versions - (ENGINEAPI 7.10; WSRM 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; J2EE-FRMW 7.10, 7.11), does not perform…
CVE-2024-34688 — CVSS 7.5 (high): Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the…
CVE-2016-9562 — CVSS 7.5 (high): SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of Service (null pointer exception and icman outage) via an HTTPS…
CVE-2017-14581 — CVSS 7.5 (high): The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 allows remote attackers to cause a denial of service (service crash)…
CVE-2023-40308 — CVSS 7.5 (high): SAP CommonCryptoLib allows an unauthenticated attacker to craft a request, which when submitted to an open port causes a memory corruption…
CVE-2022-22533 — CVSS 7.5 (high): Due to improper error handling in SAP NetWeaver Application Server Java - versions KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT…
CVE-2021-33670 — CVSS 7.5 (high): SAP NetWeaver AS for Java (Http Service Monitoring Filter), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker to send…
CVE-2018-2503 — CVSS 7.4 (high): By default, the SAP NetWeaver AS Java keystore service does not sufficiently restrict the access to resources that should be protected…
CVE-2019-0355 — CVSS 7.2 (high): SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before…
CVE-2020-26820 — CVSS 7.2 (high): SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the…
CVE-2020-6202 — CVSS 7.2 (high): SAP NetWeaver Application Server Java (User Management Engine), versions- 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50; does not sufficiently…
CVE-2019-0327 — CVSS 7.2 (high): SAP NetWeaver for Java Application Server - Web Container, (engineapi, versions 7.1, 7.2, 7.3, 7.31, 7.4 and 7.5), (servercode, versions…
CVE-2018-2492 — CVSS 7.1 (high): SAML 2.0 functionality in SAP NetWeaver AS Java, does not sufficiently validate XML documents received from an untrusted source. This is…
CVE-2023-42477 — CVSS 6.5 (medium): SAP NetWeaver AS Java (GRMG Heartbeat application) - version 7.50, allows an attacker to send a crafted request from a vulnerable web…
CVE-2021-21485 — CVSS 6.5 (medium): An unauthorized attacker may be able to entice an administrator to invoke telnet commands of an SAP NetWeaver Application Server for Java…
CVE-2020-6313 — CVSS 6.5 (medium): SAP NetWeaver Application Server JAVA(XML Forms) versions 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user controlled inputs, which…
CVE-2017-11457 — CVSS 6.5 (medium): XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to read…
CVE-2016-10304 — CVSS 6.5 (medium): The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory…
CVE-2020-26826 — CVSS 6.5 (medium): Process Integration Monitoring of SAP NetWeaver AS JAVA, versions - 7.31, 7.40, 7.50, allows an attacker to upload any file (including…
CVE-2020-6224 — CVSS 6.2 (medium): SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker with administrator privileges…
CVE-2024-22126 — CVSS 6.1 (medium): The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL…
CVE-2017-11458 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject…
CVE-2022-41262 — CVSS 6.1 (medium): Due to insufficient input validation, SAP NetWeaver AS Java (HTTP Provider Service) - version 7.50, allows an unauthenticated attacker to…
CVE-2020-6365 — CVSS 6.1 (medium): SAP NetWeaver AS Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, Start Page allows an unauthenticated remote attacker to…
CVE-2018-2504 — CVSS 6.1 (medium): SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header…
CVE-2021-21491 — CVSS 6.1 (medium): SAP Netweaver Application Server Java (Applications based on WebDynpro Java) versions 7.00, 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allow…
CVE-2026-27674 — CVSS 6.1 (medium): Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply…
CVE-2020-6319 — CVSS 6.1 (medium): SAP NetWeaver Application Server Java, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50 allows an unauthenticated attacker to…
CVE-2018-2452 — CVSS 6.1 (medium): The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled…
CVE-2016-3975 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or…
CVE-2020-6282 — CVSS 5.8 (medium): SAP NetWeaver AS JAVA (IIOP service) (SERVERCORE), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, and SAP NetWeaver AS JAVA (IIOP…
CVE-2020-6190 — CVSS 5.8 (medium): Certain vulnerable endpoints in SAP NetWeaver AS Java (Heap Dump Application), versions 7.30, 7.31, 7.40, 7.50, provide valuable…
CVE-2021-27601 — CVSS 5.4 (medium): SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the…
CVE-2019-0275 — CVSS 5.4 (medium): SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server (J2EE-APPS), versions 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50…
CVE-2022-26103 — CVSS 5.3 (medium): Under certain conditions, SAP NetWeaver (Real Time Messaging Framework) - version 7.50, allows an attacker to access information which…
CVE-2021-27598 — CVSS 5.3 (medium): SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data…
CVE-2019-0318 — CVSS 5.3 (medium): Under certain conditions SAP NetWeaver Application Server for Java (Startup Framework), versions 7.21, 7.22, 7.45, 7.49, and 7.53, allows…
CVE-2020-6286 — CVSS 5.3 (medium): The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions…
CVE-2023-24526 — CVSS 5.3 (medium): SAP NetWeaver Application Server Java for Classload Service - version 7.50, does not perform any authentication checks for functionalities…
CVE-2023-42480 — CVSS 5.3 (medium): The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the…
CVE-2016-3973 — CVSS 5.3 (medium): The chat feature in the Real-Time Collaboration (RTC) services 7.3 and 7.4 in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers…
CVE-2024-28164 — CVSS 5.3 (medium): SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which…
CVE-2025-42926 — CVSS 5.3 (medium): SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within…
CVE-2021-33687 — CVSS 4.9 (medium): SAP NetWeaver AS JAVA (Enterprise Portal), versions - 7.10, 7.20, 7.30, 7.31, 7.40, 7.50 reveals sensitive information in one of their HTTP…
CVE-2020-26816 — CVSS 4.5 (medium): SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP…
CVE-2019-0391 — CVSS 4.3 (medium): Under certain conditions SAP NetWeaver AS Java (corrected in 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) allows an attacker to access information…
CVE-2021-33689 — CVSS 4.3 (medium): When user with insufficient privileges tries to access any application in SAP NetWeaver Administrator (Administrator applications), version…
CVE-2021-21492 — CVSS 4.3 (medium): SAP NetWeaver Application Server Java(HTTP Service), versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate…
CVE-2026-23686 — CVSS 3.4 (low): Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could…