CVE-2025-42901 MEDIUM

CVE-2025-42901: Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser)

Vendor Sap_Se
Product SAP Application Server for ABAP (BAPI Browser)
Weakness CWE-94 · Code injection
Published October 14, 2025
Last update October 14, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application.

Key dates

02Disclosure timeline

October 14, 2025 CVE published
October 14, 2025 Record updated