CVE-2026-24315 MEDIUM

CVE-2026-24315: Path Traversal Vulnerability in SAP Fiori (launchpad)

Vendor Sap_Se
Product SAP Fiori (launchpad)
Weakness CWE-35
Published June 9, 2026
Last update June 9, 2026

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted.

Key dates

02Disclosure timeline

June 9, 2026 CVE published
June 9, 2026 Record updated