| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Known vulnerabilities affecting Sap products and systems
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2026-34264 | During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the ... | 6.5 | 209 | Neutral | No |
| Yes |
| CVE-2026-34262 | Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer | 4.3 | 329 | Neutral | Yes | Yes |
| CVE-2026-33417 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password_resets table includes a created_at timestamp c... | 7.1 | 305 | Neutral | No | Yes |
| CVE-2026-33407 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without valida... | 9.1 | 568 | Neutral | No | Yes |
| CVE-2026-33401 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endp... | 6.5 | 209 | Neutral | No | Yes |
| CVE-2026-33400 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authen... | 5.4 | 116 | Neutral | No | Yes |
| CVE-2026-33399 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_w... | 7.7 | 416 | Neutral | No | Yes |
| CVE-2026-31431 | In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associ... | 7.8 | 533 | Viral | Yes | Yes |
| CVE-2026-30842 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion e... | 4.3 | 99 | Neutral | No | Yes |
| CVE-2026-30841 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, passwordreset.php outputs $_GET["token"] and $_GET["email"] directly into HTML input value attributes usi... | 6.1 | 165 | Neutral | No | Yes |
| CVE-2026-30840 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, there is a server-side request forgery vulnerability in notification testers. This issue has been patched... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2026-30839 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enablin... | 4.3 | 99 | Neutral | No | Yes |
| CVE-2026-30828 | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, the url parameter can be used to retrieve local system files. This issue has been patched in version 4.6.... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-27679 | Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without prope... | 6.5 | 273 | Neutral | No | Yes |
| CVE-2026-27479 | Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upl... | 7.7 | 416 | Neutral | No | Yes |
| CVE-2026-24328 | SAP TAF_APPLAUNCHER within Business Server Pages allows unauthenticated attacker to craft malicious links that, when clicked by a victim, redirect them to attacker?controlled sites, potentially exposi... | 6.1 | 207 | Neutral | No | Yes |
| CVE-2026-24327 | Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unau... | 4.3 | 163 | Neutral | No | Yes |
| CVE-2026-24326 | Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct upda... | 4.3 | 163 | Neutral | No | Yes |
| CVE-2026-24325 | SAP BusinessObjects Enterprise does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an admin user to inject malicious JavaScrip... | 4.8 | 202 | Neutral | No | Yes |
| CVE-2026-24324 | SAP BusinessObjects Business Intelligence Platform (AdminTools) allows an authenticated attacker with user privileges to execute a specific query in AdminTools that could cause the Content Management ... | 6.5 | 209 | Neutral | No | Yes |