CVE-2026-27675
Received Received - Intake

ABAP Code Injection in SAP Landscape Transformation RFC Module

Vulnerability report for CVE-2026-27675, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-14

Last updated on: 2026-04-14

Assigner: SAP SE

Description

SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-14
Last Modified
2026-04-14
Generated
2026-07-06
AI Q&A
2026-04-14
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sap landscape_transformation *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in SAP Landscape Transformation within an RFC-exposed function module. It allows a highly privileged attacker to inject arbitrary ABAP code and operating system commands.

While the attacker can modify some information, they do not have control over the kind or degree of modification.

The overall impact is low on integrity, and there is no impact on confidentiality or availability.

Impact Analysis

This vulnerability could allow a high privileged adversary to modify some information within the SAP Landscape Transformation system.

However, the attacker does not have control over the type or extent of the modifications, resulting in a low impact on data integrity.

There is no impact on confidentiality or availability, so sensitive data exposure or system downtime are not expected consequences.

Compliance Impact

This vulnerability allows a high privileged adversary to inject arbitrary ABAP code and operating system commands, which could lead to modification of some information. However, the impact on integrity is low, and confidentiality and availability are not affected.

Given the low impact on integrity and no impact on confidentiality or availability, the vulnerability poses a limited risk to compliance with standards and regulations such as GDPR or HIPAA, which emphasize protection of confidentiality and integrity of sensitive data.

Nevertheless, any unauthorized modification of information could potentially raise concerns under these regulations, depending on the context and sensitivity of the affected data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27675. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart