Zero Day MonitorZDM

← Back to list

6.1

CVE-2026-27674EXPLOITED

sap · netweaver application server java (web dynpro java)

Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)

Description

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability.

Affected Products

Vendor	Product	Versions
sap	netweaver application server java (web dynpro java)	WD-RUNTIME 7.50

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
sap	sap software	cert_advisory	90%

References

Related News (2 articles)

Tier B

BSI Advisories5d ago

[NEU] [hoch] SAP Patchday April 2026: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB6d ago

CVE-2026-27674 | SAP NetWeaver Application Server Java 7.50 code injection

→ No new info (linked only)

CVSS 3.16.1 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-94

PublishedApr 14, 2026

Last enriched6d agov2

Trending Score24

Source articles2

Independent2

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-27681EXP

SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

MEDIUMCVE-2026-27683EXP

Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

HIGHCVE-2026-34256

Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

LOWCVE-2026-27675EXP

Code Injection vulnerability in SAP Landscape Transformation

MEDIUMCVE-2026-24318

Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: severity, activelyExploited

Apr 14, 2026

Actively Exploited

Apr 15, 2026

Version History

v2

Last enriched 6d ago

v2Tier C6d ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v16d ago

Initial creation