CVE-2026-40129
Code Injection in SAP Application Server ABAP
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | application_server_abap | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is recommended to apply the latest security patches provided by SAP for the Application Server ABAP and ABAP Platform.
You can regularly check SAP Security Notes and apply relevant updates as soon as they are released to address this code injection vulnerability.
Ensure that only authenticated and authorized users have access to the affected SAP components to reduce the risk of exploitation.
Can you explain this vulnerability to me?
This vulnerability is a Code Injection issue in the SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. An authenticated attacker can send specially crafted inputs to the application. If these inputs are processed and delivered to users subscribed to a channel, it could lead to execution of arbitrary code on behalf of other users.
How can this vulnerability impact me? :
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code as other users, which impacts the integrity of the system. However, it does not affect the confidentiality or availability of the system. The overall impact is considered low.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability results in a low impact on integrity with no impact on confidentiality or availability. Since it does not affect confidentiality, it is unlikely to directly cause breaches of data protection regulations such as GDPR or HIPAA that primarily focus on protecting personal and sensitive data confidentiality and availability.
However, any code injection vulnerability could potentially be a concern for compliance if exploited to alter data or system behavior, but based on the provided information, this vulnerability's impact is limited and does not indicate direct compliance violations.