Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.
AnalysisAI
Code injection in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform allows authenticated attackers to execute arbitrary code for subscribed channel users by sending specially crafted inputs. The vulnerability has low integrity impact with no confidentiality or availability consequences. CVSS 4.3 (low severity) reflects the requirement for authenticated access, but the ability to affect other users elevates practical risk in multi-tenant environments.
Technical ContextAI
This vulnerability exploits improper input validation in the SAP Application Server ABAP message/subscription channel processing mechanism. The root cause is CWE-94 (Code Injection), which occurs when user-controlled input is incorporated into code that is subsequently executed. The attack occurs within the context of notification channels where authenticated users can submit data that is broadcast to other subscribed users without proper sanitization or escaping. The vulnerability affects all versions of SAP Application Server ABAP for SAP NetWeaver and ABAP Platform as indicated by the wildcard CPE, suggesting a systemic issue in the channel message handling framework rather than version-specific flaw.
RemediationAI
Apply the security patch released by SAP as detailed in SAP Note 3735359 and the SAP Security Patch Day announcement at https://url.sap/sapsecuritypatchday. Because the CVE description does not specify fixed versions, consult SAP's official advisory to identify the patched version for your specific NetWeaver or ABAP Platform release line. As an interim compensating control pending patch deployment, restrict access to notification/subscription channel features to trusted user groups with elevated access controls, implement input validation and content security policies at the application layer to block injection patterns in message payloads, and monitor channel subscription activity for suspicious or unusual message content. Note that these controls may limit legitimate functionality depending on how channels are used in your environment; coordinate with business stakeholders before implementing access restrictions. Log all channel message submissions and review them for injection payloads to detect attempted exploitation. No workaround is available that fully mitigates the vulnerability without patching.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29361
GHSA-f762-3chp-r6jr