CVE-2025-42910CRITICAL 9.0EPSS p34.8%

CVE-2025-42910CVE-2025-42910

Description

Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 34.8% · 2026-06-18T12:00:27Z
Published2025-10-14
Last modified2026-04-15

Underlying weaknesses· 1

CWE-434

References

  1. https://me.sap.com/notes/3647332
  2. https://url.sap/sapsecuritypatchday

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-42922
CVE
CVE-2025-25243
CVE
CVE-2025-42964
CVE
SAP NetWeaver Unrestricted File Upload Vulnerability
CVE
CVE-2025-42887
CVE
CVE-2025-42880
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.