| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.5 | $0-$5k | 0.00 |
Summary
A vulnerability marked as problematic has been reported in SAP Fiori App. This impacts an unknown function. The manipulation leads to external control of setting. This vulnerability is uniquely identified as CVE-2026-0495. The attack is possible to be carried out remotely. No exploit exists. To fix this issue, it is recommended to deploy a patch.
Details
A vulnerability was found in SAP Fiori App (the affected version is unknown) and classified as problematic. This issue affects an unknown code. The manipulation with an unknown input leads to a external control of setting vulnerability. Using CWE to declare the problem leads to CWE-15. One or more system settings or configuration elements can be externally controlled by a user. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.
It is possible to read the advisory at me.sap.com. The identification of this vulnerability is CVE-2026-0495 since 12/09/2025. The exploitation is known to be difficult. The attack may be initiated remotely. Additional levels of successful authentication are required for exploitation. The technical details are unknown and an exploit is not publicly available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 01/14/2026).
Applying a patch is able to eliminate this problem.
The vulnerability is also documented in the databases at CNNVD (CNNVD-202601-2338) and CERT Bund (WID-SEC-2026-0077). Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Affected
- SAP Software
Product
Vendor
Name
License
Website
- Vendor: https://www.sap.com/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.6VulDB Meta Temp Score: 4.5
VulDB Base Score: 4.1
VulDB Temp Score: 3.9
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 5.1
CNA Vector (sap): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: External control of settingCWE: CWE-15
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔒
Timeline
12/09/2025 CVE reserved01/13/2026 Advisory disclosed
01/13/2026 VulDB entry created
01/14/2026 VulDB entry last update
Sources
Vendor: sap.comAdvisory: me.sap.com
Status: Confirmed
CVE: CVE-2026-0495 (🔒)
GCVE (CVE): GCVE-0-2026-0495
GCVE (VulDB): GCVE-100-340547
CERT Bund: WID-SEC-2026-0077 - SAP Patchday Januar 2026: Mehrere Schwachstellen
CNNVD: CNNVD-202601-2338 - SAP Fiori App Intercompany Balance Reconciliation 安全漏洞
scip Labs: https://www.scip.ch/en/?labs.20150716
Entry
Created: 01/13/2026 08:41Updated: 01/14/2026 22:42
Changes: 01/13/2026 08:41 (60), 01/13/2026 17:59 (7), 01/14/2026 22:42 (6)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.