CVE-2026-40135
OS Command Injection in SAP NetWeaver Application Server
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | netweaver_application_server_for_abap | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS Command Injection in the SAP NetWeaver Application Server for ABAP and ABAP Platform. It allows an authenticated attacker who has administrative access to execute specially crafted shell commands on the server.
The attacker can bypass the logging mechanism, meaning these commands can be executed without being detected.
How can this vulnerability impact me? :
The vulnerability can impact the integrity and availability of the application by allowing unintended OS commands to be executed.
Since the logging mechanism can be bypassed, malicious actions may go unnoticed, increasing the risk of damage or disruption.
There is no impact on confidentiality according to the description.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker with administrative access to execute OS commands while bypassing the logging mechanism. This lack of logging can impact the integrity and availability of the application, which may hinder the ability to detect and respond to malicious activities.
Since the vulnerability does not impact confidentiality, direct exposure of personal or sensitive data is not indicated. However, the inability to log such actions could affect compliance with standards like GDPR and HIPAA that require proper audit trails and monitoring to ensure data integrity and accountability.
Therefore, this vulnerability could negatively affect compliance with regulations that mandate comprehensive logging and monitoring, potentially leading to non-compliance issues related to integrity and availability controls.