← back
CVE-2026-24321

Information Disclosure vulnerability in SAP Commerce Cloud

CVSS 5.3 MEDIUMEPSS 0.2%CWE-359
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
10 Feb 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
SAP_SE · SAP Commerce Cloud

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://me.sap.com/notes/3687771https://url.sap/sapsecuritypatchday