COOEY // HUBcompliance · community · intelligence

FAIL › dossier

NetWeaver product

10
failure events
0
zero-days
5
RCEs
10
on KEV
1
critical
95
worst shame

Dossier not yet built — the RAG curator builds one for players with ≥2 failure events (factory/dossier.py). The failure history and sentiment below are live.

Failure history 10 events

DateEventSevFlagsShameSummary
2025-04-29 CVE-2025-31324 critical ⚡RCE ⌖KEV 95 SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
2025-05-15 CVE-2025-42999 high ⚡RCE ⌖KEV 65 SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.
2022-06-09 CVE-2016-2386 high ⚡RCE ⌖KEV 65 SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
2021-11-03 CVE-2010-5326 high ⚡RCE ⌖KEV 65 SAP NetWeaver Application Server Java Platforms Invoker Servlet does not require authentication, allowing for remote code execution via a HTTP or HTTPS request.
2021-11-03 CVE-2020-6287 high ⚡RCE ⌖KEV 65 SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create administrative users.
2025-03-19 CVE-2017-12637 high ⌖KEV 50 SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string.
2022-06-09 CVE-2016-2388 high ⌖KEV 50 The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request.
2022-06-09 CVE-2021-38163 high ⌖KEV 50 SAP NetWeaver contains a vulnerability that allows unrestricted file upload.
2021-11-03 CVE-2016-9563 high ⌖KEV 50 SAP NetWeaver Application Server Java Platforms contains an unspecified vulnerability in BC-BMT-BPM-DSK which allows remote, authenticated users to conduct XML External Entity (XXE) attacks.
2021-11-03 CVE-2016-3976 high ⌖KEV 50 SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote attackers to read files.