CVE-2026-27684SQL Injection in SE SAP Netweaver

CWE-89SQL Injection3 documents3 sources
Severity
6.4MEDIUMNVD
EPSS
0.0%
top 87.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Netweaver
Timeline
PublishedMar 10

Description

SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these inputs directly into SQL queries without proper validation or escaping. As a result, an attacker can manipulate the WHERE clause logic and potentially gain unauthorized access to or modify database information. This vulnerability has no impact on integrity and low impact on t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:LExploitability: 3.1 | Impact: 2.7

Affected Packages1 packages

CVEListV5sap_se/sap_netweaver18 versions+17

🔴Vulnerability Details

2
CVEList
SQL Injection Vulnerability in SAP NetWeaver (Feedback Notification)2026-03-10
GHSA
GHSA-qh9r-rhxc-jw9f: SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code2026-03-10
CVE-2026-27684 — SQL Injection in SAP SE SAP Netweaver | cvebase