Plattform
sap
Komponente
sap-netweaver-application-server-java
Behoben in
7.50.1
CVE-2026-27674 describes a Code Injection vulnerability within SAP NetWeaver Application Server Java (Web Dynpro Java), specifically impacting versions 7.50–WD-RUNTIME 7.50. This flaw allows an unauthenticated attacker to inject crafted input that is then interpreted by the application, potentially leading to the execution of attacker-controlled content within a victim's browser. Successful exploitation could result in session compromise and data integrity issues.
The primary impact of CVE-2026-27674 is the potential for session compromise and the execution of arbitrary client-side code within a victim's browser. An attacker could craft malicious input that, when accessed by a user interacting with the vulnerable Web Dynpro Java functionality, would trigger the execution of the attacker's code. This could enable the attacker to steal session cookies, impersonate the user, and gain unauthorized access to sensitive data or functionality within the SAP NetWeaver environment. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. While the description doesn't explicitly mention lateral movement, a compromised session could be leveraged to access other resources within the SAP environment, depending on the user's privileges and the application's configuration.
CVE-2026-27674 was published on 2026-04-14. As of this date, no public proof-of-concept (PoC) code is publicly available. The vulnerability's CVSS score of 6.1 (MEDIUM) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. The lack of a readily available fix and public exploit suggests a lower immediate risk, but proactive mitigation is still recommended.
Organizations heavily reliant on SAP NetWeaver Application Server Java (Web Dynpro Java) for critical business processes are at significant risk. Specifically, deployments using the affected version 7.50–WD-RUNTIME 7.50 are immediately vulnerable. Environments with weak input validation practices or lacking WAF protection are particularly susceptible to exploitation.
• java / server:
# Check for suspicious user input handling in Web Dynpro Java code
grep -r 'userInput.toString()' /path/to/application/code• generic web:
# Monitor access logs for unusual requests containing potentially malicious input
grep -i 'script' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27674 is to upgrade to a patched version of SAP NetWeaver Application Server Java (Web Dynpro Java) as soon as it becomes available. SAP has not yet released a fixed version as of the publication date. In the interim, consider implementing input validation and sanitization techniques within the Web Dynpro Java application to prevent the injection of malicious code. Web Application Firewalls (WAFs) configured to detect and block suspicious input patterns could also provide a layer of defense. Review and restrict access to the vulnerable Web Dynpro Java functionality to minimize the potential impact of a successful attack.
Aplique el parche de seguridad SAP 3719397 para mitigar la vulnerabilidad de inyección de código. Consulte la nota de SAP y el Security Patch Day para obtener instrucciones detalladas sobre la aplicación del parche y las versiones afectadas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27674 is a Code Injection vulnerability affecting SAP NetWeaver Application Server Java (Web Dynpro Java) allowing attackers to execute client-side code via crafted input, potentially leading to session compromise.
If you are using SAP NetWeaver Application Server Java (Web Dynpro Java) version 7.50–WD-RUNTIME 7.50, you are potentially affected by this vulnerability. Check SAP Security Notes for updates.
The recommended fix is to upgrade to a patched version of SAP NetWeaver Application Server Java (Web Dynpro Java) as soon as it becomes available. Monitor SAP Security Notes for updates.
Active exploitation campaigns are not currently confirmed, but the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the official SAP Security Notes for the latest information and advisory regarding CVE-2026-27674: https://www.sap.com/security/bulletins.html
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.