CVE-2026-40131

LOW

SQL Injection vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library

Title source: cna

Description

SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.

References (2)

Core 2

Core References

https://me.sap.com/notes/3726962

https://url.sap/sapsecuritypatchday

Scores

CVSS v3 3.4

EPSS 0.0001

EPSS Percentile 0.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

SAP_SE/SAP HANA Deployment Infrastructure (HDI) deploy library XS_HDI_DEPLOYER 1.00

Published May 12, 2026

Tracked Since May 12, 2026