CVE-2026-0488
CRITICAL WAF: Low
CVSS 9.9
Published: 2026-02-10
CWE-862
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.
WAF Coverage Analysis
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| sap | netweaver_application_server_abap | 700 |
| sap | s\/4hana | 102 |
| sap | s\/4hana | 103 |
| sap | s\/4hana | 104 |
| sap | s\/4hana | 105 |
| sap | s\/4hana | 106 |
| sap | s\/4hana | 107 |
| sap | s\/4hana | 108 |
| sap | s\/4hana | 109 |
| sap | webclient_ui_framework | 700 |
References
- me.sap.com (Permissions Required)
- url.sap (Vendor Advisory)