CVE-2026-27674

MEDIUM

Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)

Title source: cna

Description

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability.

References (2)

https://me.sap.com/notes/3719397

https://url.sap/sapsecuritypatchday

Scores

CVSS v3 6.1

EPSS 0.0006

EPSS Percentile 18.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

SAP_SE/SAP NetWeaver Application Server Java (Web Dynpro Java) WD-RUNTIME 7.50

Published Apr 14, 2026

Tracked Since Apr 14, 2026