SQL Injection Vulnerability in SAP CRM and SAP S/4HANA
CVE-2026-0488

9.9CRITICAL

Key Information:

Vendor: SAP
Status: SAP Crm And SAP S/4hana (scripting Editor)
Vendor: CVE Published:; 10 February 2026

What is CVE-2026-0488?

An authenticated attacker can exploit a vulnerability in the SAP CRM and SAP S/4HANA, specifically within the Scripting Editor's generic function module call. This flaw enables attackers to execute arbitrary SQL statements, potentially leading to a complete compromise of the database. The exploitation of this vulnerability poses severe risks to the confidentiality, integrity, and availability of sensitive data.

Affected Version(s)

SAP CRM and SAP S/4HANA (Scripting Editor) S4FND 102

SAP CRM and SAP S/4HANA (Scripting Editor) 103

SAP CRM and SAP S/4HANA (Scripting Editor) 104

References

https://me.sap.com/notes/3697099

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2026
Vulnerability Reserved
Dec 9, 2025

CVE-2026-0488 Data

JSON