CVE-2026-0507

Due to an OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the system�s confidentiality, integrity, and availability.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 6.0

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3675151
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Debido a una vulnerabilidad de inyección de comandos del sistema operativo en SAP Servidor de aplicaciones para ABAP y SAP NetWeaver RFCSDK, un atacante autenticado con acceso administrativo y acceso a la red adyacente podría cargar contenido especialmente diseñado al servidor. Si es procesado por la aplicación, este contenido permite la ejecución de comandos arbitrarios del sistema operativo. La explotación exitosa podría llevar a un compromiso total de la confidencialidad, integridad y disponibilidad del sistema.

13 Jan 2026, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-13 02:15

Updated : 2026-04-15 00:35

NVD link : CVE-2026-0507

Mitre link : CVE-2026-0507

CVE.ORG link : CVE-2026-0507

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

8.4 /10