免费扫描
CRITICALCVE-2026-0509CVSS 9.6

Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform

翻译中…

平台

sap

组件

sap-netweaver-application-server-abap-and-abap-platform

修复版本

64.0.1

7.22.1

64.0.1

7.53.1

7.22.1

7.54.1

7.77.1

7.89.1

7.93.1

9.16.1

9.18.1

9.19.1

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2026-0509 is a critical command injection vulnerability affecting the @profullstack/mcp-server package. The vulnerability resides within the domain_lookup module, specifically in the /domain-lookup/check and /domain-lookup/bulk endpoints. An attacker can exploit this flaw to execute arbitrary operating system commands on the server hosting the application, leading to potential data breaches and system compromise.

影响与攻击场景翻译中…

The impact of CVE-2026-0509 is severe due to the potential for remote code execution (RCE). An attacker can inject arbitrary commands through the vulnerable endpoints, gaining complete control over the server. This could lead to data exfiltration, malware installation, denial of service, or any other action the attacker can perform with system-level privileges. The blast radius includes any data stored on the server, as well as the potential for lateral movement to other systems on the network if the server has access to them. This vulnerability is comparable in severity to other command injection flaws that have resulted in significant data breaches and system compromises.

利用背景翻译中…

The vulnerability was published on 2026-05-08. The CVSS score is 9.8 (CRITICAL). The affected commit is 2e8ea913573610667ad54e31dba2e8198ebf7cf9. No public exploits are currently known, but the high CVSS score indicates a high potential for exploitation. The vulnerability is not currently listed on KEV or EPSS, but its severity warrants close monitoring. Refer to the project's GitHub repository and the NVD entry for CVE-2026-0509 for further details.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.02% (4% 百分位)

CISA SSVC

利用情况none
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H9.6CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
无 — 无机密性影响。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件sap-netweaver-application-server-abap-and-abap-platform
供应商SAP_SE
影响范围修复版本
KRNL64NUC 7.22 – KRNL64NUC 7.2264.0.1
7.22EXT – 7.22EXT7.22.1
KRNL64UC 7.22 – KRNL64UC 7.2264.0.1
7.53 – 7.537.53.1
KERNEL 7.22 – KERNEL 7.227.22.1
7.54 – 7.547.54.1
7.77 – 7.777.77.1
7.89 – 7.897.89.1
7.93 – 7.937.93.1
9.16 – 9.169.16.1
9.18 – 9.189.18.1
9.19 – 9.199.19.1

弱点分类 (CWE)

CWE-862

时间线

  1. 已保留
  2. 发布日期
  3. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-0509 is to upgrade @profullstack/mcp-server to a patched version. As of the publication date, a specific fixed version is not provided, so monitor the project's GitHub repository for updates. As a temporary workaround, input validation and sanitization should be implemented on the /domain-lookup/check and /domain-lookup/bulk endpoints to prevent command injection. Consider implementing a Web Application Firewall (WAF) with rules to detect and block command injection attempts. Regularly scan the application for vulnerabilities using automated tools. After upgrading, verify the fix by attempting to inject a simple command (e.g., whoami) through the vulnerable endpoints – it should be rejected.

修复方法翻译中…

Aplicar la actualización de seguridad proporcionada por SAP. Consulte la nota SAP 3674774 para obtener más detalles e instrucciones específicas sobre cómo aplicar el parche a su sistema SAP NetWeaver ABAP.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-0509 in SAP NetWeaver Application Server ABAP and ABAP Platform?

It's a critical command injection vulnerability in @profullstack/mcp-server allowing attackers to execute arbitrary OS commands.

Am I affected by CVE-2026-0509 in SAP NetWeaver Application Server ABAP and ABAP Platform?

If you are using @profullstack/mcp-server versions less than or equal to 1.4.12, you are potentially affected.

How do I fix CVE-2026-0509 in SAP NetWeaver Application Server ABAP and ABAP Platform?

Upgrade to a patched version of @profullstack/mcp-server. Monitor the project's GitHub repository for updates.

Is CVE-2026-0509 being actively exploited?

No public exploits are currently known, but the vulnerability is considered highly exploitable.

Where can I find the official SAP NetWeaver Application Server ABAP and ABAP Platform advisory for CVE-2026-0509?

Refer to the project's GitHub repository and the NVD entry for CVE-2026-0509 for detailed information.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE