CVE-2026-23685 — Vulnetix

CVE-2026-23685 PUBLISHED CVSS 4.400000095367432 MEDIUM

Due to a Deserialization vulnerability in SAP NetWeaver (JMS service), an attacker authenticated as an administrator with local access could submit specially crafted content to the server. If processed by the application, this content could trigger unintended behavior during internal logic execution, potentially causing a denial of service. Successful exploitation results in a high impact on availability, while confidentiality and integrity remain unaffected.

EPSS 0.21% · 44.0th percentile

Risk Scores

CVSS 3.1

4.400000095367432

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.21%

44.0th percentile

Affected Products

Vendor	Product	Versions
sap	netweaver	7.50
SAP_SE	SAP NetWeaver (JMS service)	J2EE-FRMW 7.50

Exploit Intelligence

https://me.sap.com/notes/3687285 (circl)
https://url.sap/sapsecuritypatchday (circl)

Timeline

Feb 10, 2026 CVE Published
Feb 10, 2026 EPSS Score
Feb 12, 2026 EPSS Score
Feb 14, 2026 EPSS Score
Feb 16, 2026 EPSS Score
Feb 18, 2026 EPSS Score
Feb 20, 2026 EPSS Score
Feb 22, 2026 EPSS Score
Feb 24, 2026 EPSS Score
Feb 26, 2026 EPSS Score
Feb 28, 2026 EPSS Score
Mar 2, 2026 EPSS Score

References

Open in Interactive Console →