Code Injection vulnerability in SAP Application Server ABAP for SAP...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.

Basic Information

ID CVE-2026-40129

Source sap

Published May 12, 2026 at 02:20

Affected Product

Vendor SAP_SE

Product SAP Application Server ABAP for SAP NetWeaver and ABAP Platform

Version SAP_BASIS 740

Affected Versions SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 740
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 750
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 751
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 752
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 753
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 754
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 755
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 756
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 757
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 758
SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 816

CWE Classification

CWE-94

References

{
    "lastseen": "",
    "description": "Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.",
    "published": "2026-05-12T02:20:45.186Z",
    "modified": "2026-05-12T02:20:45.186Z",
    "type": "cve",
    "title": "Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform",
    "source": "sap",
    "references": "https://me.sap.com/notes/3735359\nhttps://url.sap/sapsecuritypatchday",
    "id": "CVE-2026-40129",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "SAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 740\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 750\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 751\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 752\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 753\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 754\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 755\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 756\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 757\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 758\nSAP_SE SAP Application Server ABAP for SAP NetWeaver and ABAP Platform SAP_BASIS 816",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SAP Application Server ABAP for SAP NetWeaver and ABAP Platform",
    "version": "SAP_BASIS 740",
    "vendor": "SAP_SE",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform_CVE-2026-40129