CVE-2026-40129 MEDIUM

CVE-2026-40129: Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform

Vendor Sap_Se
Product SAP Application Server ABAP for SAP NetWeaver and ABAP Platform
Weakness CWE-94 · Code injection
Published May 12, 2026
Last update May 12, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated