CVE-2026-0488 — Vulnetix

CVE-2026-0488 PUBLISHED CVSS 9.899999618530273 CRITICAL

An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.

EPSS 0.02% · 6.6th percentile

Risk Scores

CVSS 3.1

9.899999618530273

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.02%

6.6th percentile

Affected Products

Vendor	Product	Versions
SAP_SE	SAP CRM and SAP S/4HANA (Scripting Editor)	109, S4FND 102, 104
sap	netweaver_application_server_abap	700, 700, 700
sap	s\/4hana	102, 102, 103
sap	webclient_ui_framework	701, 700, 730

Exploit Intelligence

CIRCL seen: CVE-2026-0488 (circl-sighting)
CIRCL seen: CVE-2026-0488 (circl-sighting)
CIRCL seen: CVE-2026-0488 (circl-sighting)
CIRCL seen: CVE-2026-0488 (circl-sighting)
CIRCL seen: CVE-2026-0488 (circl-sighting)
CIRCL seen: CVE-2026-0488 (circl-sighting)
CIRCL seen: CVE-2026-0488 (circl-sighting)
CIRCL seen: CVE-2026-0488 (circl-sighting)
CIRCL seen: CVE-2026-0488 (circl-sighting)
CIRCL seen: CVE-2026-0488 (circl-sighting)

…and 11 more exploits

Timeline

Feb 10, 2026 CVE Published
Feb 10, 2026 EPSS Score
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 10, 2026 PoC Published
Feb 11, 2026 PoC Published
Feb 12, 2026 EPSS Score

References

Open in Interactive Console →