Zero Day MonitorZDM

← Back to list

9.9

CVE-2026-27681EXPLOITED

sap · sap business planning and consolidation and sap business warehou

SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

Description

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.

Affected Products

Vendor	Product	Versions
sap	sap business planning and consolidation and sap business warehou	HANABPC 810, BPC4HANA 300, SAP_BW 750, 752, 753, 754, 755, 756, 757, 758, 816

References

Related News (3 articles)

Tier D

SecurityWeek8h ago

SAP Patches Critical ABAP Vulnerability

→ No new info (linked only)

Tier D

Heise Security8h ago

SAP-Patchday: Eine kritische SQL-Injection-Lücke – und 18 weitere

→ No new info (linked only)

Tier C

VulDB13h ago

CVE-2026-27681 | SAP Business Planning and Consolidation and Business Warehouse sql injection

→ No new info (linked only)

CVSS 3.19.9 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-89

PublishedApr 14, 2026

Last enriched7h agov3

Trending Score67

Source articles3

Independent3

Info Completeness9/14

Missing: epss, kev, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-27674EXP

Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)

MEDIUMCVE-2026-27683EXP

Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

LOWCVE-2026-27675EXP

Code Injection vulnerability in SAP Landscape Transformation

HIGHCVE-2026-34256

Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

MEDIUMCVE-2026-24318

Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: description

Apr 14, 2026

Updated: exploitAvailable, activelyExploited

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Exploit Available

Apr 14, 2026

Version History

v3

Last enriched 7h ago

v3Tier D7h ago

Updated exploit availability to true and marked the vulnerability as actively exploited.

exploitAvailableactivelyExploited

via Heise Security

v2Tier D7h ago

Updated description with new technical details and marked the vulnerability as actively exploited with an exploit available.

description

via SecurityWeek

v118h ago

Initial creation