CVE-2026-40129

MEDIUM

Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform

Title source: cna

Description

Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.

References (2)

Core 2

Core References

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3735359

Scores

CVSS v3 4.3

EPSS 0.0002

EPSS Percentile 4.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-94

Status published

Products (11)

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 740

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 750

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 751

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 752

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 753

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 754

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 755

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 756

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 757

SAP_SE/SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 758

... and 1 more

Published May 12, 2026

Tracked Since May 12, 2026