CVE-2026-0498 Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)

🗓️ 13 Jan 2026 01:13:41Reported by sapType

CVE-2026-0498: Admins can inject abap code or operating system commands via remote function call in SAP S/4HANA, bypassing authorization.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2026-0498	13 Jan 202603:02	–	circl
CNNVD	SAP S/4HANA 代码注入漏洞	13 Jan 202600:00	–	cnnvd
CVE	CVE-2026-0498	13 Jan 202601:13	–	cve
EUVD	EUVD-2026-2392	13 Jan 202601:13	–	euvd
NCSC	Vulnerabilities fixed in SAP products	13 Jan 202614:42	–	ncsc
NVD	CVE-2026-0498	13 Jan 202602:15	–	nvd
Positive Technologies	PT-2026-2334	13 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-0498	14 Jan 202601:22	–	redhatcve
The Hacker News	⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More	19 Jan 202613:17	–	thn
Vulnrichment	CVE-2026-0498 Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)	13 Jan 202601:13	–	vulnrichment

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP S/4HANA (Private Cloud and On-Premise)",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "S4CORE 102"
      },
      {
        "status": "affected",
        "version": "103"
      },
      {
        "status": "affected",
        "version": "104"
      },
      {
        "status": "affected",
        "version": "105"
      },
      {
        "status": "affected",
        "version": "106"
      },
      {
        "status": "affected",
        "version": "107"
      },
      {
        "status": "affected",
        "version": "108"
      },
      {
        "status": "affected",
        "version": "109"
      }
    ]
  }
]

Source	Link
url	www.url.sap/sapsecuritypatchday
me	www.me.sap.com/notes/3694242

13 Jan 2026 01:13Current

CVSS 3.19.1

EPSS0.00046

CWE-94