CVE-2025-26654
Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud)
CVSS Score
6.8
EPSS Score
0.0%
EPSS Percentile
0th
SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.
| Vendor | sap_se |
| Product | sap commerce cloud (public cloud) |
| Published | Apr 8, 2025 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for sap_se sap commerce cloud (public cloud)
Be the first to know when new medium vulnerabilities affecting sap_se sap commerce cloud (public cloud) are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
SAP_SE / SAP Commerce Cloud (Public Cloud)
COM_CLOUD 2211