CVE-2025-26654
Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud)
Description
SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.
CVSS Vector Breakdown
AV:AAttack VectorAC:HAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2025-26654 and every CVE in our database. Create a free account — no credit card required.
Create Free Account