Is Sap affected by EUVD-2026-22154?

SAP Business Planning and Consolidation (BPC) and Business Warehouse (BW) contain a critical SQL injection vulnerability (CVE-2026-27681, CVSS 9.9) that allows authenticated database users to execute arbitrary SQL commands and potentially compromise shared database infrastructure supporting…

EUVD-2026-22154

| CVE-2026-27681 CRITICAL

2026-04-14 [email protected]

GHSA-qv8q-6q9m-8ch9

Sap SQLi

9.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 17, 2026 - 15:35 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 17, 2026 - 15:22 vuln.today

cvss_changed

Analysis Generated

Apr 14, 2026 - 00:25 vuln.today

DescriptionNVD

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.

AnalysisAI

SQL injection in SAP Business Planning and Consolidation (BPC) and SAP Business Warehouse (BW) allows authenticated users to execute arbitrary SQL commands against the database. Affected versions span SAP_BW 750-758, BPC4HANA 300, and HANABPC 810/816. …

RemediationAI

Within 24 hours: Identify and inventory all SAP BW and BPC systems running affected versions (750-758, BPC4HANA 300, HANABPC 810/816) and document current user access levels; enable enhanced database query logging and SQL statement auditing. Within 7 days: Restrict database access for non-administrative SAP application accounts using principle-of-least-privilege; review and revoke unnecessary authenticated database permissions per SAP security note 3719353; document all compensating controls implemented. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-22154 vulnerability details – vuln.today

Back

EUVD-2026-22154

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code