CVE-2025-42901

Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser)

CVSS 5.4 MEDIUMEPSS 0.2%CWE-94

SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected products

SAP_SE · SAP Application Server for ABAP (BAPI Browser)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://me.sap.com/notes/3652788 https://url.sap/sapsecuritypatchday