CVE-2026-27684
MEDIUMSAP NetWeaver Feedback Notifications Service - Authenticated SQL Injection via User-Controlled Input Fields
Title source: llmDescription
SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these inputs directly into SQL queries without proper validation or escaping. As a result, an attacker can manipulate the WHERE clause logic and potentially gain unauthorized access to or modify database information. This vulnerability has no impact on integrity and low impact on the confidentiality and availability of the application.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3697355
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
6.4
EPSS
0.0027
EPSS Percentile
18.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026