CVE-2025-42896 MEDIUM

CVE-2025-42896: Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform

Vendor Sap_Se
Product SAP BusinessObjects Business Intelligence Platform
Weakness CWE-116
Published December 9, 2025
Last update December 9, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

SAP BusinessObjects Business Intelligence Platform lets an unauthenticated remote attacker send crafted requests through the URL parameter that controls the login page error message. This can cause the server to fetch attacker-supplied URLs, resulting in low impact to confidentiality and integrity, and no impact to availability.

Key dates

02Disclosure timeline

December 9, 2025 CVE published
December 9, 2025 Record updated