CVE-2026-0488

CRITICAL

SAP CRM/S/4HANA - Privilege Escalation

Title source: llm

Description

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

References (2)

[Permissions Required] https://me.sap.com/notes/3697099

[Vendor Advisory] https://url.sap/sapsecuritypatchday

Scores

CVSS v3 9.9

EPSS 0.0002

EPSS Percentile 3.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-862

Status published

Affected Products (18)

sap/netweaver_application_server_abap

sap/s\/4hana

sap/webclient_ui_framework

... and 3 more

Timeline

Published Feb 10, 2026

Tracked Since Feb 18, 2026