{"cve":{"cve_id":"CVE-2026-24321","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00214,"epss_percentile":0.11647,"epss_as_of":"2026-06-23","description":"SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does not affect integrity and availability.","published_at":"2026-02-10T03:03:52.708000Z","last_modified_at":null,"cvss_v3_score":5.3,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","cvss_v3_severity":"MEDIUM","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-359"],"nvd_references":["https://me.sap.com/notes/3687771","https://url.sap/sapsecuritypatchday"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:29:20.607943Z"},"effective_severity":"MEDIUM","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"L","value_label":"Low"},{"metric":"I","name":"Integrity","value":"N","value_label":"None"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"sap-se","vendor_name":"SAP_SE","product_slug":"sap-commerce-cloud","product_name":"SAP Commerce Cloud","version_start":"HY_COM 2205","version_start_inclusive":true,"version_end":"HY_COM 2205","version_end_inclusive":true,"cpe23_uri":"cve5:sap-se:sap-commerce-cloud:HY_COM 2205:HY_COM 2205"},{"vendor_slug":"sap-se","vendor_name":"SAP_SE","product_slug":"sap-commerce-cloud","product_name":"SAP Commerce Cloud","version_start":"COM_CLOUD 2211","version_start_inclusive":true,"version_end":"COM_CLOUD 2211","version_end_inclusive":true,"cpe23_uri":"cve5:sap-se:sap-commerce-cloud:COM_CLOUD 2211:COM_CLOUD 2211"},{"vendor_slug":"sap-se","vendor_name":"SAP_SE","product_slug":"sap-commerce-cloud","product_name":"SAP Commerce Cloud","version_start":"2211-JDK21","version_start_inclusive":true,"version_end":"2211-JDK21","version_end_inclusive":true,"cpe23_uri":"cve5:sap-se:sap-commerce-cloud:2211-JDK21:2211-JDK21"}],"exploit_refs":[],"news":[],"references":[{"url":"https://me.sap.com/notes/3687771","source_type":"MISC","tags":[]},{"url":"https://url.sap/sapsecuritypatchday","source_type":"MISC","tags":["patch"]}],"timeline":[{"type":"published","at":"2026-02-10T03:03:52.708000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:51:54.153642Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:51:54.153642Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:51:54.153642Z","label":"CVSS score revised","source":"cvelistv5"}]}