CVE-2026-40135
OS Command Injection in SAP NetWeaver Application Server
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | netweaver_application_server_for_abap | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS Command Injection in the SAP NetWeaver Application Server for ABAP and ABAP Platform. It allows an authenticated attacker who has administrative access to execute specially crafted shell commands on the server.
The attacker can bypass the logging mechanism, meaning these commands can be executed without being detected.
How can this vulnerability impact me? :
The vulnerability can impact the integrity and availability of the application by allowing unintended OS commands to be executed.
Since the logging mechanism can be bypassed, malicious actions may go unnoticed, increasing the risk of damage or disruption.
There is no impact on confidentiality according to the description.