CVE-2026-27684 | THREATINT

Description

SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these inputs directly into SQL queries without proper validation or escaping. As a result, an attacker can manipulate the WHERE clause logic and potentially gain unauthorized access to or modify database information. This vulnerability has no impact on integrity and low impact on the confidentiality and availability of the application.

PUBLISHED Reserved 2026-02-23 | Published 2026-03-10 | Updated 2026-03-10 | Assigner sap

MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command

Product status

Default status

unaffected

SAP_ABA 700

affected

701

affected

702

affected

731

affected

740

affected

750

affected

751

affected

752

affected

75A

affected

75B

affected

75C

affected

75D

affected

75E

affected

75F

affected

75G

affected

75H

affected

75I

affected

816

affected

References

me.sap.com/notes/3697355

url.sap/sapsecuritypatchday

cve.org (CVE-2026-27684)

nvd.nist.gov (CVE-2026-27684)

Download JSON