VDB

GCVE-110-NCSC-2026-52

GCVE-110-NCSC-2026-52
Advisory PublishedCVSS 9.9/10
Vulnetix · Advisory published February 10, 2026
An authenticated attacker can exploit a code injection vulnerability in SAP CRM and SAP S/4HANA's Scripting Editor to execute unauthorized SQL statements, compromising database confidentiality, integrity, and availability.

Weaknesses (CWE)

CWE-862Missing AuthorizationCWE-347Improper Verification of Cryptographic SignatureCWE-606Unchecked Input for Loop ConditionCWE-405Asymmetric Resource Consumption (Amplification)CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')CWE-601URL Redirection to Untrusted Site ('Open Redirect')CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')CWE-497Exposure of Sensitive System Information to an Unauthorized Control SphereCWE-366Race Condition within a ThreadCWE-316Cleartext Storage of Sensitive Information in MemoryCWE-359Exposure of Private Personal Information to an Unauthorized ActorCWE-502Deserialization of Untrusted DataCWE-113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

Risk Scores

CVSS 3.1
9.9/10
Critical · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
SAPvers:unknown/*

References

advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory
advisory

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›