CVE-2026-40135 | THREATINT

Description

An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.

PUBLISHED Reserved 2026-04-09 | Published 2026-05-12 | Updated 2026-05-12 | Assigner sap

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Problem types

CWE-77: Improper Neutralization of Special Elements used in a Command

Product status

Default status

unaffected

SAP_BASIS 700

affected

SAP_BASIS 701

affected

SAP_BASIS 702

affected

SAP_BASIS 731

affected

SAP_BASIS 740

affected

SAP_BASIS 750

affected

SAP_BASIS 751

affected

SAP_BASIS 752

affected

SAP_BASIS 753

affected

SAP_BASIS 754

affected

SAP_BASIS 755

affected

SAP_BASIS 756

affected

SAP_BASIS 757

affected

SAP_BASIS 758

affected

SAP_BASIS 816

affected

References

me.sap.com/notes/3730019

url.sap/sapsecuritypatchday

cve.org (CVE-2026-40135)

nvd.nist.gov (CVE-2026-40135)

Download JSON