What is CVE-2025-27435?

CVE-2025-27435 is a medium-severity vulnerability in Sap_se Sap Commerce Cloud, classified under Missing Authorization. CVSS score: 4.2/10. Published 2025-04-08.

How severe is CVE-2025-27435?

Medium severity. CVSS v3 base score is 4.2 out of 10.

Auth bypass in Sap_se Sap Commerce Cloud

CVE-2025-27435

Under specific conditions and prerequisites, an unauthenticated attacker could access customer coupon codes exposed in the URL parameters of the Coupon Campaign URL in SAP Commerce. This could allow the attacker to use the disclosed coupon…

Vulnerability class: Broken Access Control

EPSS: 0.003 (49.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.2 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N.

Affected products

Sap_se Sap Commerce Cloud — versions HY_COM 2205, COM_CLOUD 2211

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

me.sap.com/notes/3539465
url.sap/sapsecuritypatchday

Frequently asked questions

What is CVE-2025-27435?: CVE-2025-27435 is a medium-severity vulnerability in Sap_se Sap Commerce Cloud, classified under Missing Authorization. CVSS score: 4.2/10. Published 2025-04-08.
How severe is CVE-2025-27435?: Medium severity. CVSS v3 base score is 4.2 out of 10.