CVE-2025-26654

Name of the Vulnerable Software and Affected Versions: SAP Commerce Cloud (affected versions not specified)

Description: The issue affects the confidentiality and integrity of data sent in the first request before a redirect from HTTP to HTTPS. Normally, Commerce communicates securely over HTTPS, but if a client is configured to use HTTP and sends confidential data before the redirect, this data may be impacted.

Recommendations: For SAP Commerce Cloud, consider configuring clients to use HTTPS directly to avoid sending confidential data over unencrypted HTTP. As a temporary workaround, restrict the use of HTTP protocol to minimize the risk of exploitation. Avoid sending confidential data in the first request before the redirect to HTTPS.