Sap commerce
This hub aggregates every CVE we track for Sap commerce, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.
15
CVEs tracked
5
Critical
7
High
0
In CISA KEV
Severity distribution
HIGH7CRITICAL5MEDIUM3
Monthly trend
1
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Sap commerce.
- CVE-2025-27434Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI)8.8
- CVE-2025-24875SameSite Defense in Depth not applied for some cookies in SAP Commerce6.8
- CVE-2024-41733Information Disclosure Vulnerability in SAP Commerce5.3
- CVE-2024-39597[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce7.2
- CVE-2023-39439SAP Commerce accepts empty passphrases.8.8
- CVE-2022-41204An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL. They can inject code that allows them to redirect submissions fr...8.8
- CVE-2021-42064If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacke...9.8
- CVE-2021-40502SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers ...8.8
- CVE-2021-27602SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain mo...9.9
- CVE-2021-21477SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject ma...9.9
- CVE-2020-6302SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing o...8.1
- CVE-2020-6264SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under certain conditions which would otherwise be restricted, leading to Information Disclosure.7.5
- CVE-2020-6265SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been con...9.8
- CVE-2020-6238SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and...9.3
- CVE-2020-6232SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media.5.3
Product normalization is registry-driven with AI assist and human review. How it works