CVE-2026-27684 MEDIUM

CVE-2026-27684: SQL Injection Vulnerability in SAP NetWeaver (Feedback Notification)

Vendor Sap_Se
Product SAP NetWeaver (Feedback Notification)
Weakness CWE-89 · SQLi
Published March 10, 2026
Last update March 10, 2026
View on NVD All CVEs

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

What the vulnerability does

01Description

SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these inputs directly into SQL queries without proper validation or escaping. As a result, an attacker can manipulate the WHERE clause logic and potentially gain unauthorized access to or modify database information. This vulnerability has no impact on integrity and low impact on the confidentiality and availability of the application.

Key dates

02Disclosure timeline

March 10, 2026 CVE published
March 10, 2026 Record updated