CVE-2026-23684 — Vulnetix

CVE-2026-23684 PUBLISHED CVSS 5.900000095367432 MEDIUM

A race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in a cart entry being created with erroneous product value which could be checked out. This leads to high impact on data integrity, with no impact on data confidentiality or availability of the application.

EPSS 0.03% · 10.8th percentile

Risk Scores

CVSS v3.1

5.900000095367432

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score

0.03%

10.8th percentile

Affected Products

Vendor	Product	Versions
SAP_SE	SAP Commerce Cloud	, 2211-JDK21,
sap	commerce_cloud	2205, 2211

Timeline

Jan 14, 2026 CVE ID Reserved
Feb 10, 2026 CVE Published
Feb 10, 2026 EPSS Score
Feb 10, 2026 CVE Updated
Feb 12, 2026 EPSS Score
Feb 14, 2026 EPSS Score
Feb 16, 2026 EPSS Score
Feb 18, 2026 EPSS Score
Feb 20, 2026 EPSS Score
Feb 22, 2026 EPSS Score
Feb 24, 2026 EPSS Score
Feb 26, 2026 EPSS Score

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2026.html advisory
https://me.sap.com/notes/3689543 url
https://url.sap/sapsecuritypatchday url
https://nvd.nist.gov/vuln/detail/CVE-2026-23684 advisory

Open in Interactive Console →