Latest CVE Feed
-
6.5
MEDIUMCVE-2025-42904
Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on c... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Information Disclosure
-
5.4
MEDIUMCVE-2025-42896
SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message. This can cause the server to fetch attacker-supplied URLs, resulting in ... Read more
Affected Products : businessobjects_business_intelligence_platform- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Server-Side Request Forgery
-
5.5
MEDIUMCVE-2025-42891
Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on ... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Authorization
-
9.9
CRITICALCVE-2025-42880
Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on ... Read more
Affected Products : solution_manager- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Injection
-
8.2
HIGHCVE-2025-42878
SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a hi... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Misconfiguration
-
7.5
HIGHCVE-2025-42877
SAP Web Dispatcher, Internet Communication Manager (ICM), and SAP Content Server allow an unauthenticated user to exploit logical errors that lead to a memory corruption vulnerability. This results in high impact on the availability with no impact on conf... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Memory Corruption
-
7.1
HIGHCVE-2025-42876
Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all c... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Authorization
-
6.6
MEDIUMCVE-2025-42875
The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker to reuse authorization tokens, violating secure authentication practices causing low impact on Confidential... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Authentication
-
7.9
HIGHCVE-2025-42874
SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not ... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Injection
-
5.9
MEDIUMCVE-2025-42873
SAPUI5 (and OpenUI5) packages use outdated 3rd party libraries with known security vulnerabilities. When markdown-it encounters special malformed input, it fails to terminate properly, resulting in an infinite loop. This Denial of Service via infinite loo... Read more
Affected Products :- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Denial of Service
-
6.1
MEDIUMCVE-2025-42872
Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal, an unauthenticated attacker could inject malicious scripts that execute in the context of other users� browsers, allowing the attacker to steal session cookies, tokens, ... Read more
Affected Products : netweaver- Published: Dec. 09, 2025
- Modified: Dec. 09, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41752
An XSS vulnerability in pxc_portSfp.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerabilit... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41751
An XSS vulnerability in pxc_portCntr.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerabili... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41750
An XSS vulnerability in pxc_PortCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerabilit... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41749
An XSS vulnerability in port_util.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerability ... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41748
An XSS vulnerability in pxc_Dot1xCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to click on the link provided by the attacker in order to change parameters available via web based management (WBM). The vulnerabili... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41747
An XSS vulnerability in pxc_vlanIntfCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulne... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41746
An XSS vulnerability in pxc_portSecCfg.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulner... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
7.1
HIGHCVE-2025-41745
An XSS vulnerability in pxc_portCntr2.php can be used by an unauthenticated remote attacker to trick an authenticated user to send a manipulated POST request to the device in order to change parameters available via web based management (WBM). The vulnera... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Cross-Site Scripting
-
6.8
MEDIUMCVE-2025-41697
An attacker can use an undocumented UART port on the PCB as a side-channel to get root access e.g. with the credentials obtained from CVE-2025-41692.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 19, 2025
- Vuln Type: Authentication