CVE-2026-40135
MEDIUMOS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Title source: cnaDescription
An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.
References (2)
Core 2
Scores
CVSS v3
6.5
EPSS
0.0140
EPSS Percentile
69.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-77
Status
published
Products (30)
sap/netweaver_application_server_abap
700
sap/netweaver_application_server_abap
701
sap/netweaver_application_server_abap
702
sap/netweaver_application_server_abap
731
sap/netweaver_application_server_abap
740
sap/netweaver_application_server_abap
750
sap/netweaver_application_server_abap
751
sap/netweaver_application_server_abap
752
sap/netweaver_application_server_abap
753
sap/netweaver_application_server_abap
754
... and 20 more
Published
May 12, 2026
Tracked Since
May 12, 2026