Publish Advisories

GHSA-2qp6-v7mh-v798
GHSA-3mmv-v6g2-g7c6
GHSA-4772-pjcp-2xfr
GHSA-4p53-w5pc-f48w
GHSA-4x3m-wqv7-c7h3
GHSA-5429-v87q-pg8h
GHSA-5j28-xwjp-v5gv
GHSA-67mq-54j2-cv5m
GHSA-6xvr-96w9-f64h
GHSA-9m57-5mv3-fjx3
GHSA-cv7h-78v9-r3jf
GHSA-jjvw-w74f-45qh
GHSA-jm7g-m582-79q7
GHSA-jmwc-hm8x-6w23
GHSA-mg77-v38f-9pm9
GHSA-mwg5-cwh8-88m5
GHSA-w8gf-92gc-cx36
GHSA-wjx9-27x5-jwmf
GHSA-x2gq-6c9p-44p8
GHSA-x6hw-xmff-xh6q
GHSA-xmmh-wmh6-hp5h
GHSA-xwwh-3hfg-5c8w

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-2qp6-v7mh-v798/GHSA-2qp6-v7mh-v798.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2qp6-v7mh-v798",
+  "modified": "2026-01-13T03:32:08Z",
+  "published": "2026-01-13T03:32:08Z",
+  "aliases": [
+    "CVE-2026-0497"
+  ],
+  "details": "SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0497"
+    },
+    {
+      "type": "WEB",
+      "url": "https://me.sap.com/notes/3677111"
+    },
+    {
+      "type": "WEB",
+      "url": "https://url.sap/sapsecuritypatchday"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-13T02:15:52Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-3mmv-v6g2-g7c6/GHSA-3mmv-v6g2-g7c6.json

@@ -0,0 +1,34 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3mmv-v6g2-g7c6",
+  "modified": "2026-01-13T03:32:09Z",
+  "published": "2026-01-13T03:32:09Z",
+  "aliases": [
+    "CVE-2025-66176"
+  ],
+  "details": "There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66176"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.hikvision.com/en/support/cybersecurity/security-advisory/buffer-overflow-vulnerabilities-in-some-hikvision-products"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-13T03:16:01Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-4772-pjcp-2xfr/GHSA-4772-pjcp-2xfr.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4772-pjcp-2xfr",
+  "modified": "2026-01-13T03:32:09Z",
+  "published": "2026-01-13T03:32:09Z",
+  "aliases": [
+    "CVE-2026-0503"
+  ],
+  "details": "Due to missing authorization check in the SAP ERP Central Component (SAP ECC) and SAP S/4HANA (SAP EHS Management), an attacker could extract hardcoded clear-text credentials and bypass the password authentication check by manipulating user parameters. Upon successful exploitation, the attacker can access, modify or delete certain change pointer information within EHS objects in the application which might further affect the subsequent systems. This vulnerability leads to a low impact on confidentiality and integrity of the application with no affect on the availability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0503"
+    },
+    {
+      "type": "WEB",
+      "url": "https://me.sap.com/notes/3681523"
+    },
+    {
+      "type": "WEB",
+      "url": "https://url.sap/sapsecuritypatchday"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-13T02:15:52Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-4p53-w5pc-f48w/GHSA-4p53-w5pc-f48w.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4p53-w5pc-f48w",
+  "modified": "2026-01-13T03:32:08Z",
+  "published": "2026-01-13T03:32:08Z",
+  "aliases": [
+    "CVE-2026-0498"
+  ],
+  "details": "SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0498"
+    },
+    {
+      "type": "WEB",
+      "url": "https://me.sap.com/notes/3694242"
+    },
+    {
+      "type": "WEB",
+      "url": "https://url.sap/sapsecuritypatchday"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-13T02:15:52Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-4x3m-wqv7-c7h3/GHSA-4x3m-wqv7-c7h3.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4x3m-wqv7-c7h3",
+  "modified": "2026-01-13T03:32:09Z",
+  "published": "2026-01-13T03:32:09Z",
+  "aliases": [
+    "CVE-2026-0507"
+  ],
+  "details": "Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0507"
+    },
+    {
+      "type": "WEB",
+      "url": "https://me.sap.com/notes/3675151"
+    },
+    {
+      "type": "WEB",
+      "url": "https://url.sap/sapsecuritypatchday"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-13T02:15:53Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-5429-v87q-pg8h/GHSA-5429-v87q-pg8h.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5429-v87q-pg8h",
+  "modified": "2026-01-13T03:32:08Z",
+  "published": "2026-01-13T03:32:08Z",
+  "aliases": [
+    "CVE-2026-0495"
+  ],
+  "details": "SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges  to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0495"
+    },
+    {
+      "type": "WEB",
+      "url": "https://me.sap.com/notes/3565506"
+    },
+    {
+      "type": "WEB",
+      "url": "https://url.sap/sapsecuritypatchday"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-15"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-13T02:15:51Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-5j28-xwjp-v5gv/GHSA-5j28-xwjp-v5gv.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5j28-xwjp-v5gv",
+  "modified": "2026-01-13T03:32:08Z",
+  "published": "2026-01-13T03:32:08Z",
+  "aliases": [
+    "CVE-2026-0496"
+  ],
+  "details": "SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges  to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0496"
+    },
+    {
+      "type": "WEB",
+      "url": "https://me.sap.com/notes/3565506"
+    },
+    {
+      "type": "WEB",
+      "url": "https://url.sap/sapsecuritypatchday"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-13T02:15:51Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-67mq-54j2-cv5m/GHSA-67mq-54j2-cv5m.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-67mq-54j2-cv5m",
+  "modified": "2026-01-13T03:32:08Z",
+  "published": "2026-01-13T03:32:08Z",
+  "aliases": [
+    "CVE-2026-0492"
+  ],
+  "details": "SAP HANA database is vulnerable to privilege escalation allowing an attacker with valid credentials of any user to switch to another user potentially gaining administrative access. This exploit could result in a total compromise of the system�s confidentiality, integrity, and availability.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0492"
+    },
+    {
+      "type": "WEB",
+      "url": "https://me.sap.com/notes/3691059"
+    },
+    {
+      "type": "WEB",
+      "url": "https://url.sap/sapsecuritypatchday"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-13T02:15:51Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-6xvr-96w9-f64h/GHSA-6xvr-96w9-f64h.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6xvr-96w9-f64h",
+  "modified": "2026-01-13T03:32:08Z",
+  "published": "2026-01-13T03:32:08Z",
+  "aliases": [
+    "CVE-2026-0494"
+  ],
+  "details": "Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0494"
+    },
+    {
+      "type": "WEB",
+      "url": "https://me.sap.com/notes/3655227"
+    },
+    {
+      "type": "WEB",
+      "url": "https://url.sap/sapsecuritypatchday"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-497"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-13T02:15:51Z"
+  }
+}