CVE 9.9 CRITICAL

SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger)_CVE-2026-0501

January 12, 2026 invoker category_cve

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application.

AI Analysis

SQL Injection vulnerability allowing an authenticated user to execute crafted SQL queries, affecting confidentiality, integrity, and availability of the application.

Basic Information

ID CVE-2026-0501

Source sap

Published Jan 13, 2026 at 01:14

Affected Product

Vendor SAP_SE

Product SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger)

Version S4CORE 102, 103, 104, 105, 106, 107, 108, 109

Affected Versions SAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) S4CORE 102
SAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 103
SAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 104
SAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 105
SAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 106
SAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 107
SAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 108
SAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 109

CWE Classification

CWE-89

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor SAP

Product SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger)

Version S4CORE 102, 103, 104, 105, 106, 107, 108, 109

References

{
    "lastseen": "",
    "description": "Due to insufficient input validation in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger), an authenticated user could execute crafted SQL queries to read, modify, and delete backend database data. This leads to a high impact on the confidentiality, integrity, and availability of the application.",
    "published": "2026-01-13T01:14:05.294Z",
    "modified": "2026-01-13T01:14:05.294Z",
    "type": "cve",
    "title": "SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger)",
    "source": "sap",
    "references": "https://me.sap.com/notes/3687749\nhttps://url.sap/sapsecuritypatchday",
    "id": "CVE-2026-0501",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "SAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) S4CORE 102\nSAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 103\nSAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 104\nSAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 105\nSAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 106\nSAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 107\nSAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 108\nSAP_SE SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger) 109",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger)",
    "version": "S4CORE 102, 103, 104, 105, 106, 107, 108, 109",
    "vendor": "SAP_SE",
    "ai_description": "SQL Injection vulnerability allowing an authenticated user to execute crafted SQL queries, affecting confidentiality, integrity, and availability of the application.",
    "ai_severity": "Critical",
    "ai_vendor": "SAP",
    "ai_product": "SAP S/4HANA Private Cloud and On-Premise (Financials General Ledger)",
    "ai_version": "S4CORE 102, 103, 104, 105, 106, 107, 108, 109",
    "ai_score": 9.9
}

💭 Join the Security Discussion ❌ Cancel Reply