CVE-2026-0507
Unknown Unknown - Not Provided
OS Command Injection in SAP ABAP Server Risks Full System Compromise

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: SAP SE

Description
Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the systemοΏ½s confidentiality, integrity, and availability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0507
EUVD
EUVD-2026-2380
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sap application_server_for_abap *
sap netweaver_rfcsdk *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability could impact compliance with common standards and regulations such as GDPR and HIPAA because successful exploitation may lead to full compromise of the system's confidentiality, integrity, and availability. Such a compromise can result in unauthorized access to sensitive personal or health data, violating data protection and privacy requirements mandated by these regulations.

Executive Summary

This vulnerability is an OS Command Injection flaw in SAP Application Server for ABAP and SAP NetWeaver RFCSDK. An authenticated attacker with administrative and adjacent network access can upload specially crafted content to the server. When the application processes this content, it allows the attacker to execute arbitrary operating system commands on the server.

Impact Analysis

Exploitation of this vulnerability could lead to a full compromise of the system's confidentiality, integrity, and availability. This means an attacker could gain control over the system, access sensitive data, modify or delete information, and disrupt system operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart