1,586 CVEs

14 in CISA KEV

sap Vulnerabilities

CVE security advisories and vulnerability history for sap.

1,586

Total CVEs

Published

14

In CISA KEV

Exploited in the wild

196

Public exploits

With known exploit

6.2

Avg CVSS

2002–2026

Overview

sap has 1,586 published CVE records since 2002, of which 14 are in CISA's Known Exploited Vulnerabilities catalog and 196 have a known public exploit. The average CVSS base score across scored CVEs is 6.2.

This page aggregates every publicly disclosed vulnerability (CVE) affecting sap products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of sap's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical85

High152

Medium520

Low33

796 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

14

14 of sap's CVEs are confirmed exploited in the wild.

Public exploits

196

196 of sap's CVEs have a known public exploit available.

Most affected products

The sap products with the most published CVEs.

3d visual enterprise viewer131 CVEs
SAP 3D Visual Enterprise Viewer127 CVEs
netweaver108 CVEs
netweaver application server abap78 CVEs
businessobjects business intelligence platform74 CVEs
netweaver application server java68 CVEs
businessobjects business intelligence45 CVEs
hana38 CVEs

Common weakness types

The CWE weakness categories most often found in sap CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish sap CVE records.

Disclosure activity by year

How many sap CVEs were published each year.

2019

123

2020

222

2021

205

2022

190

2023

167

2024

97

2025

32

2026

36

Latest sap CVEs

The most recently disclosed vulnerabilities affecting sap.

Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA
CWE-204
Medium · CVSS 6.5
EPSS 0.1%2026-04-14
Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer
CWE-522
Medium · CVSS 5.0
EPSS 0.0%2026-04-14
Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)
CWE-862
Medium · CVSS 6.5
EPSS 0.0%2026-04-14
Information Disclosure vulnerability in S/4HANA (Manage Payment Media)
CWE-497
Medium · CVSS 4.3
EPSS 0.0%2026-02-24
Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER)
CWE-601
Medium · CVSS 6.1
EPSS 0.1%2026-02-10
Missing Authorization Check in SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application)
CWE-862
Medium · CVSS 4.3
EPSS 0.0%2026-02-10
Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations)
CWE-862
Medium · CVSS 4.3
EPSS 0.0%2026-02-10
Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console)
CWE-79
Medium · CVSS 4.8
EPSS 0.0%2026-02-10
Denial of service (DOS) vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools)
CWE-405
Medium · CVSS 6.5
EPSS 0.0%2026-02-10
Multiple vulnerabilities in BSP Applications of SAP Document Management System
CWE-601
Medium · CVSS 6.1
EPSS 0.0%2026-02-10
Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)
CWE-862
High · CVSS 7.7
EPSS 0.0%2026-02-10
Information Disclosure vulnerability in SAP Commerce Cloud
CWE-359
Medium · CVSS 5.3
EPSS 0.1%2026-02-10

Track new sap CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor sap CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

dlink1,769 CVEs jenkins1,769 CVEs sun1,711 CVEs samsung1,607 CVEs Dell1,578 CVEs Jenkins project1,486 CVEs code-projects1,391 CVEs GitLab1,390 CVEs

Browse all vendors

Frequently asked questions

Common questions about sap vulnerabilities.

How many CVEs does sap have?

sap has 1,586 published CVE records since 2002, including 68 in the last two years.

How many sap CVEs are in CISA KEV?

Yes — 14 of sap's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which sap products have the most CVEs?

The sap products with the most published CVEs are 3d visual enterprise viewer, SAP 3D Visual Enterprise Viewer, netweaver, netweaver application server abap, businessobjects business intelligence platform.

What are the most common weakness types in sap CVEs?

sap's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-862 (Missing Authorization), CWE-787 (Out-of-bounds Write), CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

Are there public exploits for sap vulnerabilities?

Yes — 196 of sap's CVEs have a known public exploit.

How many critical sap vulnerabilities are there?

sap has 85 critical and 152 high-severity CVEs.

What is the average severity of sap CVEs?

The average CVSS base score across sap's scored CVEs is 6.2.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track sap vulnerabilities

Monitor new sap vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing