6.5
CVE-2026-40135
- EPSS 1.4%
- Veröffentlicht 12.05.2026 02:21:40
- Zuletzt bearbeitet 03.06.2026 18:33:28
- Quelle cna@sap.com
- CVE-Watchlists
- Unerledigt
OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SAP ≫ Netweaver Application Server Abap Version700 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version701 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version702 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version731 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version740 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version750 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version751 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version752 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version753 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version754 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version755 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version756 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version757 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version758 SwEditionsap_basis
SAP ≫ Netweaver Application Server Abap Version816 SwEditionsap_basis
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.4% | 0.689 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cna@sap.com | 6.5 | 1.2 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
|
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
https://url.sap/sapsecuritypatchday
https://me.sap.com/notes/3730019