← back
CVE-2025-42901

Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser)

CVSS 5.4 MEDIUMEPSS 0.2%CWE-94
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.4EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
14 Oct 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected products
SAP_SE · SAP Application Server for ABAP (BAPI Browser)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://me.sap.com/notes/3652788https://url.sap/sapsecuritypatchday