Zero Day MonitorZDM

← Back to list

6.1

CVE-2026-27674EXPLOITED

sap · sap netweaver application server java (web dynpro java)

Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)

Description

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability.

Affected Products

Vendor	Product	Versions
sap	sap netweaver application server java (web dynpro java)	WD-RUNTIME 7.50

References

Related News (1 articles)

Tier C

VulDB13h ago

CVE-2026-27674 | SAP NetWeaver Application Server Java 7.50 code injection

→ No new info (linked only)

CVSS 3.16.1 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-94

PublishedApr 14, 2026

Last enriched13h agov2

Trending Score45

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-27681EXP

SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

MEDIUMCVE-2026-27683EXP

Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform

LOWCVE-2026-27675EXP

Code Injection vulnerability in SAP Landscape Transformation

HIGHCVE-2026-34256

Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

MEDIUMCVE-2026-24318

Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: severity, activelyExploited

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Version History

v2

Last enriched 13h ago

v2Tier C13h ago

Updated severity to CRITICAL and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v118h ago

Initial creation