📦

netweaver

Vendor: sap

Actively Exploited 3 CISA KEV List

PoC / Exploits 15 Code Available

Total RCEs 12 Remote Access

Total CVEs 468 Total Indexed

Avg. EPSS 6.97% Exploit Prob.

Latest CVE CVE-2026-23685 Feb 10

Security Vulnerability Index

Page 4 / 47

8.8 CVSS

CVE-2019-0351

RCE

A remote code execution vulnerability exists in the SAP NetWeaver UDDI Server (Services Registry), versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50. Because of this, an attacker can exploit Services Registry potentially enabling them to take complete control of the product, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the product to terminate.

EPSS: 2.16%

Severity: HIGH

Aug 14, 2019

5.9 CVSS

CVE-2019-0248

Under certain conditions SAP Gateway of ABAP Application Server (fixed in SAP_GWFND 7.5, 7.51, 7.52, 7.53; SAP_BASIS 7.5) allows an attacker to access information which would otherwise be restricted.

EPSS: 0.35%

Severity: MEDIUM

Jan 08, 2019

8.8 CVSS

CVE-2018-2477

Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source.

EPSS: 0.64%

Severity: HIGH

Nov 13, 2018

6.1 CVSS

CVE-2018-2476

Due to insufficient URL Validation in forums in SAP NetWeaver versions 7.30, 7.31, 7.40, an attacker can redirect users to a malicious site.

EPSS: 0.21%

Severity: MEDIUM

Nov 13, 2018

6.1 CVSS

CVE-2018-2470

In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

EPSS: 0.42%

Severity: MEDIUM

Oct 09, 2018

6.1 CVSS

CVE-2018-2464

SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.

EPSS: 0.42%

Severity: MEDIUM

Sep 11, 2018

8.8 CVSS

CVE-2018-2462

In certain cases, BEx Web Java Runtime Export Web Service in SAP NetWeaver BI 7.30, 7.31. 7.40, 7.41, 7.50, does not sufficiently validate an XML document accepted from an untrusted source.

EPSS: 0.60%

Severity: HIGH

Sep 11, 2018

4.3 CVSS

CVE-2018-2434

A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP NetWeaver 7.00 Implementation, SAP User Interface Technology (SAP_UI 7.4, 7.5, 7.51, 7.52). There is little impact as it is not possible to embed active contents such as JavaScript or hyperlinks.

EPSS: 0.13%

Severity: MEDIUM

Jul 10, 2018

8.8 CVSS

CVE-2018-2363

RCE

SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials.

EPSS: 0.74%

Severity: HIGH

Jan 09, 2018

9.8 CVSS

CVE-2015-7241

Exploit Found

XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.

EPSS: 27.38%

Severity: CRITICAL

Sep 06, 2017

Displaying 10 of 468 Total Entries

2 3 4 5 6 ... 47

Total 47 Sections