MEDIUM SeverityCVSS 3.14.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVE-2026-40129

Last updated May 12, 2026 · Published May 12, 2026

Description

Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.

Affected products

1 listed

SAP_SE:SAP Application Server ABAP for SAP NetWeaver and ABAP Platform

Mappings

CWE

CWE-94

CAPEC

None listed.

Research

Command injection: how it works and how to prevent itCommand injection happens when untrusted input reaches a shell or process spawn. Avoid the shell, pass…
Template InjectionExplains how untrusted input can be executed by template engines on server or client. Covers safe templating…

Training

Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.

CVE-2026-40129

Description

Affected products

Mappings

Related