CVE-2026-40135

MEDIUM

OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

Title source: cna
STIX 2.1

Description

An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.

Scores

CVSS v3 6.5
EPSS 0.0140
EPSS Percentile 69.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-77
Status published
Products (30)
sap/netweaver_application_server_abap 700
sap/netweaver_application_server_abap 701
sap/netweaver_application_server_abap 702
sap/netweaver_application_server_abap 731
sap/netweaver_application_server_abap 740
sap/netweaver_application_server_abap 750
sap/netweaver_application_server_abap 751
sap/netweaver_application_server_abap 752
sap/netweaver_application_server_abap 753
sap/netweaver_application_server_abap 754
... and 20 more
Published May 12, 2026
Tracked Since May 12, 2026