CVE-2026-23684

Published: Feb 10, 2026

Modified: Feb 10, 2026

PUBLISHED

CVSS v3.1

5.9

MEDIUM

Description

A race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in a cart entry being created with erroneous product value which could be checked out. This leads to high impact on data integrity, with no impact on data confidentiality or availability of the application.

Vendor	Product	Versions
SAP_SE	SAP Commerce Cloud	affected `HY_COM 2205` affected `COM_CLOUD 2211` affected `2211-JDK21`

Weaknesses (CWE)

CWE-366

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://me.sap.com/notes/3689543

https://url.sap/sapsecuritypatchday

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-23684

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References