FAIL › dossier
Dossier not yet built — the RAG curator builds one for players with ≥2 failure events (factory/dossier.py). The failure history and sentiment below are live.
| Date | Event | Sev | Flags | Shame | Summary |
|---|---|---|---|---|---|
| 2025-04-29 | CVE-2025-31324 | critical | ⚡RCE ⌖KEV | 95 | SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries. |
| 2021-11-03 | CVE-2018-2380 | critical | ⌖KEV | 80 | SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users. |
| 2025-05-15 | CVE-2025-42999 | high | ⚡RCE ⌖KEV | 65 | SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content. |
| 2024-09-30 | CVE-2019-0344 | high | ⚡RCE ⌖KEV | 65 | SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection. |
| 2022-06-09 | CVE-2016-2386 | high | ⚡RCE ⌖KEV | 65 | SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| 2021-11-03 | CVE-2010-5326 | high | ⚡RCE ⌖KEV | 65 | SAP NetWeaver Application Server Java Platforms Invoker Servlet does not require authentication, allowing for remote code execution via a HTTP or HTTPS request. |
| 2021-11-03 | CVE-2020-6287 | high | ⚡RCE ⌖KEV | 65 | SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create administrative users. |
| 2025-03-19 | CVE-2017-12637 | high | ⌖KEV | 50 | SAP NetWeaver Application Server (AS) Java contains a directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS that allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string. |
| 2022-08-18 | CVE-2022-22536 | high | ⌖KEV | 50 | SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution imp |
| 2022-06-09 | CVE-2016-2388 | high | ⌖KEV | 50 | The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request. |
| 2022-06-09 | CVE-2021-38163 | high | ⌖KEV | 50 | SAP NetWeaver contains a vulnerability that allows unrestricted file upload. |
| 2021-11-03 | CVE-2016-9563 | high | ⌖KEV | 50 | SAP NetWeaver Application Server Java Platforms contains an unspecified vulnerability in BC-BMT-BPM-DSK which allows remote, authenticated users to conduct XML External Entity (XXE) attacks. |
| 2021-11-03 | CVE-2020-6207 | high | ⌖KEV | 50 | SAP Solution Manager User Experience Monitoring contains a missing authentication for critical function vulnerability which results in complete compromise of all SMDAgents connected to the Solution Manager. |
| 2021-11-03 | CVE-2016-3976 | high | ⌖KEV | 50 | SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote attackers to read files. |