CVE-2026-40129
Code Injection in SAP Application Server ABAP
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | application_server_abap | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Code Injection issue in the SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. An authenticated attacker can send specially crafted inputs to the application. If these inputs are processed and delivered to users subscribed to a channel, it could lead to execution of arbitrary code on behalf of other users.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code as other users, which impacts the integrity of the system. However, it does not affect the confidentiality or availability of the system. The overall impact is considered low.