critical2026-06-09SAP Cloud Application Programming Model

Malicious Open-Source Packages in SAP Cloud Application Programming Model

SAP Cloud Application Programming Model (Node.js)

Our Take

CVSS 10.0 — perfect score, maximum severity. Supply chain compromise of a development framework means every application built on the affected CAP version is potentially infected. If your organisation uses CAP for Node.js development, this is an all-hands emergency. Treat affected environments as compromised until patched and audited.

Vulnerability Detail

SAP identified malicious open-source NPM packages included as dependencies in the Cloud Application Programming Model (CAP) for Node.js. An attacker who can influence the dependency resolution or supply chain could cause the application to execute malicious code, with full confidentiality, integrity, and availability impact. SAP rates this CVSS 10.0 — the maximum score.

Workaround

Audit your CAP Node.js dependency tree for the affected packages and remove or replace them before the patched version is deployed.

Patch Action

Apply SAP Note 3747787. Review your CAP Node.js lockfiles and dependency manifests for affected package versions.

Affected Versions

CAP Node.js — see SAP Note for specific package versions

Patch Info

Priority

🔴 Patch immediately

CVSS Score

10

SAP Note

3747787

Published

2026-06-09

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.
← All patches