Plataforma
sap
Componente
sap-netweaver-application-server-java
Corregido en
7.50.1
CVE-2026-27674 describes a Code Injection vulnerability discovered in SAP NetWeaver Application Server Java (Web Dynpro Java). This flaw allows an unauthenticated attacker to inject malicious code through crafted input, which, when accessed by a victim, can be executed within their browser. The vulnerability impacts versions 7.50–WD-RUNTIME 7.50 and requires immediate attention to prevent potential session compromise.
The primary impact of CVE-2026-27674 is the potential for session compromise. A successful exploit allows an attacker to execute arbitrary client-side code within the victim's browser. This can lead to the theft of sensitive information, unauthorized access to application functionalities, and potential manipulation of data. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of attackers. The ability to execute arbitrary code opens the door to various malicious activities, including cross-site scripting (XSS) attacks and the injection of malware. While the description doesn't explicitly mention lateral movement, a compromised session could be leveraged to gain further access within the SAP environment.
CVE-2026-27674 was publicly disclosed on 2026-04-14. Its CVSS score of 6.1 (Medium) indicates a moderate risk. As of this writing, there are no publicly available Proof-of-Concept (PoC) exploits. The vulnerability has been added to the CISA KEV catalog. Active exploitation campaigns are not currently confirmed, but the ease of exploitation (unauthenticated) warrants proactive mitigation.
Organizations heavily reliant on SAP NetWeaver Application Server Java (Web Dynpro Java) for critical business processes are at significant risk. Specifically, deployments using the affected version 7.50–WD-RUNTIME 7.50 are immediately vulnerable. Environments with weak input validation practices or lacking WAF protection are particularly susceptible to exploitation.
• java / server:
# Check for suspicious user input handling in Web Dynpro Java code
grep -r 'userInput.toString()' /path/to/application/code• generic web:
# Monitor access logs for unusual requests containing potentially malicious input
grep -i 'script' /var/log/apache2/access.logdisclosure
Estado del Exploit
EPSS
0.06% (18% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-27674 is to upgrade to a patched version of SAP NetWeaver Application Server Java (Web Dynpro Java) as soon as it becomes available. SAP has not yet released a fixed version, so monitoring SAP Security Notes is crucial. As a temporary workaround, implement strict input validation and sanitization on all user-supplied data within the Web Dynpro Java application. Consider using a Web Application Firewall (WAF) to filter out potentially malicious input. Regularly review and update application security configurations to minimize the attack surface. After applying any mitigation, thoroughly test the application to ensure functionality remains intact and the vulnerability is effectively addressed.
Aplique el parche de seguridad SAP 3719397 para mitigar la vulnerabilidad de inyección de código. Consulte la nota de SAP y el Security Patch Day para obtener instrucciones detalladas sobre la aplicación del parche y las versiones afectadas.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-27674 is a Code Injection vulnerability affecting SAP NetWeaver Application Server Java (Web Dynpro Java) allowing attackers to execute client-side code via crafted input, potentially leading to session compromise.
If you are using SAP NetWeaver Application Server Java (Web Dynpro Java) version 7.50–WD-RUNTIME 7.50, you are potentially affected by this vulnerability. Check SAP Security Notes for updates.
The recommended fix is to upgrade to a patched version of SAP NetWeaver Application Server Java (Web Dynpro Java) as soon as it becomes available. Monitor SAP Security Notes for updates.
Active exploitation campaigns are not currently confirmed, but the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the official SAP Security Notes for the latest information and advisory regarding CVE-2026-27674: https://www.sap.com/security/bulletins.html
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.