Commerce cloud
This hub aggregates every CVE we track for Commerce cloud, a product in the cloud saas space. Use it to gauge the current risk picture and drill into individual advisories.
18
CVEs tracked
2
Critical
5
High
1
In CISA KEV
Severity distribution
MEDIUM11HIGH5CRITICAL2
Monthly trend
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
2024-082026-07
Latest CVEs
The 15 most recently published vulnerabilities affecting Commerce cloud.
- CVE-2026-24321Information Disclosure vulnerability in SAP Commerce Cloud5.3
- CVE-2026-23684Race condition vulnerability in SAP Commerce Cloud5.9
- CVE-2024-33003Information Disclosure Vulnerability in SAP Commerce Cloud7.4
- CVE-2023-42481Improper Access Control vulnerability in SAP Commerce Cloud8.1
- CVE-2023-37486Information Disclosure vulnerability in SAP Commerce (OCC API)5.9
- CVE-2023-39439SAP Commerce accepts empty passphrases.8.8
- CVE-2021-33666When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware prolifer...6.1
- CVE-2021-21445SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation,...5.4
- CVE-2020-26809SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders...5.3
- CVE-2020-6363SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with user...4.6
- CVE-2020-6272SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several ...5.4
- CVE-2020-6238SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and...9.3
- CVE-2020-6232SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media.5.3
- CVE-2020-6201The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP re...6.1
- CVE-2020-6200The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templati...5.4
Product normalization is registry-driven with AI assist and human review. How it works