CVE-2026-27685 PUBLISHED

Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

Assigner: sap
Reserved: 23.02.2026 Published: 10.03.2026 Updated: 10.03.2026

SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality, integrity, and availability of the host system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP NetWeaver Enterprise Portal Administration
Versions	Default: unaffected Version EP-RUNTIME 7.50 is affected

References

https://me.sap.com/notes/3714585
https://url.sap/sapsecuritypatchday

CVE-2026-27685 PUBLISHED

Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

Metrics

Product Status

References

Problem Types