COOEY // HUBcompliance · community · intelligence

FAIL › dossier

SAP vendor

14
failure events
0
zero-days
6
RCEs
14
on KEV
2
critical
95
worst shame

Dossier not yet built — the RAG curator builds one for players with ≥2 failure events (factory/dossier.py). The failure history and sentiment below are live.

Failure history 14 events

DateEventSevFlagsShameSummary
2025-04-29 CVE-2025-31324 critical ⚡RCE ⌖KEV 95 SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries.
2021-11-03 CVE-2018-2380 critical ⌖KEV 80 SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users.
2025-05-15 CVE-2025-42999 high ⚡RCE ⌖KEV 65 SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.
2024-09-30 CVE-2019-0344 high ⚡RCE ⌖KEV 65 SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection.
2022-06-09 CVE-2016-2386 high ⚡RCE ⌖KEV 65 SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
2021-11-03 CVE-2010-5326 high ⚡RCE ⌖KEV 65 SAP NetWeaver Application Server Java Platforms Invoker Servlet does not require authentication, allowing for remote code execution via a HTTP or HTTPS request.
2021-11-03 CVE-2020-6287 high ⚡RCE ⌖KEV 65 SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create administrative users.
2025-03-19 CVE-2017-12637 high ⌖KEV 50 SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string.
2022-08-18 CVE-2022-22536 high ⌖KEV 50 SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution imp
2022-06-09 CVE-2016-2388 high ⌖KEV 50 The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request.
2022-06-09 CVE-2021-38163 high ⌖KEV 50 SAP NetWeaver contains a vulnerability that allows unrestricted file upload.
2021-11-03 CVE-2016-9563 high ⌖KEV 50 SAP NetWeaver Application Server Java Platforms contains an unspecified vulnerability in BC-BMT-BPM-DSK which allows remote, authenticated users to conduct XML External Entity (XXE) attacks.
2021-11-03 CVE-2020-6207 high ⌖KEV 50 SAP Solution Manager User Experience Monitoring contains a missing authentication for critical function vulnerability which results in complete compromise of all SMDAgents connected to the Solution Manager.
2021-11-03 CVE-2016-3976 high ⌖KEV 50 SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote attackers to read files.