Platform
sap
Component
sap-netweaver-application-server-java
Fixed in
7.50.1
CVE-2026-27674 describes a Code Injection vulnerability discovered in SAP NetWeaver Application Server Java (Web Dynpro Java). This flaw allows an unauthenticated attacker to inject malicious code through crafted input, which, when accessed by a victim, can be executed within their browser. The vulnerability impacts versions 7.50–WD-RUNTIME 7.50 and requires immediate attention to prevent potential session compromise.
The primary impact of CVE-2026-27674 is the potential for session compromise. A successful exploit allows an attacker to execute arbitrary client-side code within the victim's browser. This can lead to the theft of sensitive information, unauthorized access to application functionalities, and potential manipulation of data. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers. The ability to execute arbitrary code opens the door to various malicious activities, including cross-site scripting (XSS) attacks and the injection of malware. While the description doesn't explicitly mention lateral movement, a compromised session could be leveraged to gain further access within the SAP environment.
CVE-2026-27674 was publicly disclosed on 2026-04-14. Its CVSS score of 6.1 (Medium) indicates a moderate risk. As of this writing, there are no publicly available Proof-of-Concept (PoC) exploits. The vulnerability has been added to the CISA KEV catalog. Active exploitation campaigns are not currently confirmed, but the ease of exploitation (unauthenticated) warrants proactive mitigation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27674 is to upgrade to a patched version of SAP NetWeaver Application Server Java (Web Dynpro Java) as soon as it becomes available. SAP has not yet released a fixed version, so monitoring SAP Security Notes is crucial. As a temporary workaround, implement strict input validation and sanitization on all user-supplied data within the Web Dynpro Java application. Consider using a Web Application Firewall (WAF) to filter out potentially malicious input. Regularly review and update application security configurations to minimize the attack surface. After applying any mitigation, thoroughly test the application to ensure functionality remains intact and the vulnerability is effectively addressed.
Apply SAP security patch 3719397 to mitigate the code injection vulnerability. Refer to the SAP note and Security Patch Day for detailed instructions on patch application and affected versions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27674 is a Code Injection vulnerability affecting SAP NetWeaver Application Server Java (Web Dynpro Java) allowing attackers to execute client-side code via crafted input, potentially leading to session compromise.
If you are using SAP NetWeaver Application Server Java (Web Dynpro Java) version 7.50–WD-RUNTIME 7.50, you are potentially affected by this vulnerability. Check SAP Security Notes for updates.
The recommended fix is to upgrade to a patched version of SAP NetWeaver Application Server Java (Web Dynpro Java) as soon as it becomes available. Monitor SAP Security Notes for updates.
Active exploitation campaigns are not currently confirmed, but the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the official SAP Security Notes for the latest information and advisory regarding CVE-2026-27674: https://www.sap.com/security/bulletins.html
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.