Vulnerability Details CVE-2026-0488
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 13.1%
CVSS Severity
CVSS v3 Score 9.9
Products affected by CVE-2026-0488
-
cpe:2.3:a:sap:netweaver_application_server_abap:700
-
cpe:2.3:a:sap:s/4hana:102
-
cpe:2.3:a:sap:s/4hana:103
-
cpe:2.3:a:sap:s/4hana:104
-
cpe:2.3:a:sap:s/4hana:105
-
cpe:2.3:a:sap:s/4hana:106
-
cpe:2.3:a:sap:s/4hana:107
-
cpe:2.3:a:sap:s/4hana:108
-
cpe:2.3:a:sap:s/4hana:109
-
cpe:2.3:a:sap:webclient_ui_framework:700
-
cpe:2.3:a:sap:webclient_ui_framework:701
-
cpe:2.3:a:sap:webclient_ui_framework:730
-
cpe:2.3:a:sap:webclient_ui_framework:731
-
cpe:2.3:a:sap:webclient_ui_framework:746
-
cpe:2.3:a:sap:webclient_ui_framework:747
-
cpe:2.3:a:sap:webclient_ui_framework:748
-
cpe:2.3:a:sap:webclient_ui_framework:800
-
cpe:2.3:a:sap:webclient_ui_framework:801