CVE-2026-27675
Received Received - Intake
ABAP Code Injection in SAP Landscape Transformation RFC Module

Publication date: 2026-04-14

Last updated on: 2026-04-14

Assigner: SAP SE

Description
SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27675
EUVD
EUVD-2026-22147
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sap landscape_transformation *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in SAP Landscape Transformation within an RFC-exposed function module. It allows a highly privileged attacker to inject arbitrary ABAP code and operating system commands.

While the attacker can modify some information, they do not have control over the kind or degree of modification.

The overall impact is low on integrity, and there is no impact on confidentiality or availability.

Impact Analysis

This vulnerability could allow a high privileged adversary to modify some information within the SAP Landscape Transformation system.

However, the attacker does not have control over the type or extent of the modifications, resulting in a low impact on data integrity.

There is no impact on confidentiality or availability, so sensitive data exposure or system downtime are not expected consequences.

Compliance Impact

This vulnerability allows a high privileged adversary to inject arbitrary ABAP code and operating system commands, which could lead to modification of some information. However, the impact on integrity is low, and confidentiality and availability are not affected.

Given the low impact on integrity and no impact on confidentiality or availability, the vulnerability poses a limited risk to compliance with standards and regulations such as GDPR or HIPAA, which emphasize protection of confidentiality and integrity of sensitive data.

Nevertheless, any unauthorized modification of information could potentially raise concerns under these regulations, depending on the context and sensitivity of the affected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27675. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart