CVE-2026-0488 - Vulnerability Details - OpenCVE

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap Se	Sap Crm And Sap S/4hana (scripting Editor)

No data.

No data.

References

Link	Providers
https://me.sap.com/notes/3697099
https://url.sap/sapsecuritypatchday

History

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sap Se Sap Se sap Crm And Sap S/4hana (scripting Editor)
Vendors & Products		Sap Se Sap Se sap Crm And Sap S/4hana (scripting Editor)

Tue, 10 Feb 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.
Title		Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)
Weaknesses		CWE-862
References		https://me.sap.com/notes/3697099 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2026-02-10T03:01:08.999Z

Updated: 2026-02-10T03:01:08.999Z

Reserved: 2025-12-09T22:06:31.935Z

Link: CVE-2026-0488

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-02-10T04:16:01.710

Modified: 2026-02-10T15:22:54.740

Link: CVE-2026-0488

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0488", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-12-09T22:06:31.935Z", "datePublished": "2026-02-10T03:01:08.999Z", "dateUpdated": "2026-02-10T03:01:08.999Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP CRM and SAP S/4HANA (Scripting Editor)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "S4FND 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "SAP_ABA 700"}, {"status": "affected", "version": "WEBCUIF 700"}, {"status": "affected", "version": "701"}, {"status": "affected", "version": "730"}, {"status": "affected", "version": "731"}, {"status": "affected", "version": "746"}, {"status": "affected", "version": "747"}, {"status": "affected", "version": "748"}, {"status": "affected", "version": "800"}, {"status": "affected", "version": "801"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.</p>"}], "value": "An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:01:08.999Z"}, "references": [{"url": "https://me.sap.com/notes/3697099"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)", "x_generator": {"engine": "Vulnogram 0.5.0"}}}}