CVE-2026-40135

EPSS 0.17%
Veröffentlicht 12.05.2026 02:21:40
Zuletzt bearbeitet 12.05.2026 14:19:41
Quelle cna@sap.com
CVE-Watchlists
Login
Unerledigt
Login

OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerSAP_SE

≫

Produkt SAP NetWeaver Application Server for ABAP and ABAP Platform

Default Statusunaffected

Version SAP_BASIS 700

Status affected

Version SAP_BASIS 701

Status affected

Version SAP_BASIS 702

Status affected

Version SAP_BASIS 731

Status affected

Version SAP_BASIS 740

Status affected

Version SAP_BASIS 750

Status affected

Version SAP_BASIS 751

Status affected

Version SAP_BASIS 752

Status affected

Version SAP_BASIS 753

Status affected

Version SAP_BASIS 754

Status affected

Version SAP_BASIS 755

Status affected

Version SAP_BASIS 756

Status affected

Version SAP_BASIS 757

Status affected

Version SAP_BASIS 758

Status affected

Version SAP_BASIS 816

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.372

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@sap.com	6.5	1.2	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3730019

https://nvd.nist.gov/vuln/detail/CVE-2026-40135

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40135

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40135

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40135