CVE-2026-40128 | THREATINT

Description

SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable.

PUBLISHED Reserved 2026-04-09 | Published 2026-06-09 | Updated 2026-06-09 | Assigner sap

CRITICAL: 9.0CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-35: Path Traversal

Product status

Default status

unaffected

ENGINEAPI 7.50

affected

References

me.sap.com/notes/3727078

url.sap/sapsecuritypatchday

cve.org (CVE-2026-40128)

nvd.nist.gov (CVE-2026-40128)

Download JSON