CVE-2026-40135 PUBLISHED

OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

Assigner: sap
Reserved: 09.04.2026 Published: 12.05.2026 Updated: 12.05.2026

An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP NetWeaver Application Server for ABAP and ABAP Platform
Versions	Default: unaffected Version SAP_BASIS 700 is affected Version SAP_BASIS 701 is affected Version SAP_BASIS 702 is affected Version SAP_BASIS 731 is affected Version SAP_BASIS 740 is affected Version SAP_BASIS 750 is affected Version SAP_BASIS 751 is affected Version SAP_BASIS 752 is affected Version SAP_BASIS 753 is affected Version SAP_BASIS 754 is affected Version SAP_BASIS 755 is affected Version SAP_BASIS 756 is affected Version SAP_BASIS 757 is affected Version SAP_BASIS 758 is affected Version SAP_BASIS 816 is affected

CVE-2026-40135 PUBLISHED

OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

Metrics

Product Status

References

Problem Types