{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-0493","assignerOrgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","state":"PUBLISHED","assignerShortName":"sap","dateReserved":"2025-12-09T22:06:35.874Z","datePublished":"2026-01-13T01:13:06.863Z","dateUpdated":"2026-01-13T19:07:00.934Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"SAP Fiori App (Intercompany Balance Reconciliation)","vendor":"SAP_SE","versions":[{"status":"affected","version":"UIAPFI70 500"},{"status":"affected","version":"600"},{"status":"affected","version":"700"},{"status":"affected","version":"800"},{"status":"affected","version":"900"},{"status":"affected","version":"901"},{"status":"affected","version":"902"},{"status":"affected","version":"S4CORE 102"},{"status":"affected","version":"103"},{"status":"affected","version":"104"},{"status":"affected","version":"105"},{"status":"affected","version":"106"},{"status":"affected","version":"107"},{"status":"affected","version":"108"},{"status":"affected","version":"109"},{"status":"affected","version":"UIS4H 109"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability.</p>"}],"value":"Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-352","description":"CWE-352: Cross-Site Request Forgery","lang":"eng","type":"CWE"}]}],"providerMetadata":{"orgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","shortName":"sap","dateUpdated":"2026-01-13T01:13:06.863Z"},"references":[{"url":"https://me.sap.com/notes/3655229"},{"url":"https://url.sap/sapsecuritypatchday"}],"source":{"discovery":"UNKNOWN"},"title":"Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-13T14:12:47.683339Z","id":"CVE-2026-0493","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-13T19:07:00.934Z"}}]}}