CVE 9.9 CRITICAL

Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)_CVE-2026-0488

February 9, 2026 invoker category_cve

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

AI Analysis

Code Injection vulnerability allowing unauthorized execution of critical functionalities, including arbitrary SQL statements, leading to full database compromise.

Basic Information

ID CVE-2026-0488

Source sap

Published Feb 10, 2026 at 03:01

Affected Product

Vendor SAP_SE

Product SAP CRM and SAP S/4HANA (Scripting Editor)

Version S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801

Affected Versions SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) S4FND 102
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 103
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 104
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 105
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 106
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 107
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 108
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 109
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) SAP_ABA 700
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) WEBCUIF 700
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 701
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 730
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 731
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 746
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 747
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 748
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 800
SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 801

CWE Classification

CWE-862

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor SAP

Product SAP CRM and SAP S/4HANA (Scripting Editor)

Version S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801

References

{
    "lastseen": "",
    "description": "An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.",
    "published": "2026-02-10T03:01:08.999Z",
    "modified": "2026-02-10T03:01:08.999Z",
    "type": "cve",
    "title": "Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor)",
    "source": "sap",
    "references": "https://me.sap.com/notes/3697099\nhttps://url.sap/sapsecuritypatchday",
    "id": "CVE-2026-0488",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "SAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) S4FND 102\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 103\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 104\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 105\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 106\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 107\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 108\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 109\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) SAP_ABA 700\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) WEBCUIF 700\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 701\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 730\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 731\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 746\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 747\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 748\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 800\nSAP_SE SAP CRM and SAP S/4HANA (Scripting Editor) 801",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SAP CRM and SAP S/4HANA (Scripting Editor)",
    "version": "S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801",
    "vendor": "SAP_SE",
    "ai_description": "Code Injection vulnerability allowing unauthorized execution of critical functionalities, including arbitrary SQL statements, leading to full database compromise.",
    "ai_severity": "Critical",
    "ai_vendor": "SAP",
    "ai_product": "SAP CRM and SAP S/4HANA (Scripting Editor)",
    "ai_version": "S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801",
    "ai_score": 9.9
}

💭 Join the Security Discussion ❌ Cancel Reply