CVE-2026-40131 | THREATINT

Description

SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements. Successful exploitation could allow the high privileged users to alter the SELECT statements impacting confidentiality and availability of the application. There is no impact on integrity.

PUBLISHED Reserved 2026-04-09 | Published 2026-05-12 | Updated 2026-05-12 | Assigner sap

LOW: 3.4CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command

Product status

Default status

unaffected

XS_HDI_DEPLOYER 1.00

affected

References

me.sap.com/notes/3726962

url.sap/sapsecuritypatchday

cve.org (CVE-2026-40131)

nvd.nist.gov (CVE-2026-40131)

Download JSON