Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3838 articles · 175945 vulns · 37/41 feeds (7d)
← Back to list
9.0
CVE-2026-40128PATCHED
sap · netweaver application server java

Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)

Description

SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable.

Affected Products

VendorProductVersions
sapnetweaver application server javaENGINEAPI 7.50

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
sapsap softwarecert_advisory90%

References

  • https://me.sap.com/notes/3727078
  • https://url.sap/sapsecuritypatchday

Related News (6 articles)

Tier B
BSI Advisories11h ago
[NEU] [hoch] SAP Patch Day Juli 2026
→ No new info (linked only)
Tier D
CSO Online34d ago
June Patch Tuesday marks a ‘new normal’ with over 200 CVEs, 32 rated ‘critical’
→ No new info (linked only)
Tier D
BleepingComputer35d ago
SAP fixes critical flaws in NetWeaver and Commerce Cloud
→ No new info (linked only)
Tier D
Heise Security35d ago
SAP-Patchday: Kritische Lücken in SAP NetWeaver und weitere Schwachstellen
→ No new info (linked only)
Tier C
VulDB35d ago
CVE-2026-40128 | SAP NetWeaver Application Server Java 7.50 HTTP path traversal
→ No new info (linked only)
Tier B
CERT-FR35d ago
Multiples vulnérabilités dans les produits SAP (09 juin 2026)
→ No new info (linked only)
CVSS 3.19.0 CRITICAL
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited❌ No
Patch available
null
CWECWE-35
PublishedJun 9, 2026
Last enriched35d agov2
Trending Score59
Source articles6
Independent6
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-44747EXP
Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP
Trending: 75
CRITICALCVE-2026-44761EXP
Insecure Sample Credentials in SAP Commerce Cloud
Trending: 61
CRITICALCVE-2026-44745EXP
Open Redirect vulnerability in SAP Approuter
Trending: 61
HIGHCVE-2026-44752EXP
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard)
Trending: 59
CRITICALCVE-2026-27690
HTTP Request Smuggling in SAP Approuter
Trending: 51

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jun 9, 2026
Discovered by ZDM
Jun 9, 2026
Updated: description, patchAvailable
Jun 9, 2026
Patch Available
Jun 10, 2026

Version History

v2
Last enriched 35d ago
v2Tier C35d ago

Updated description with more technical details and corrected exploit availability to false.

descriptionpatchAvailable
via VulDB
v135d ago

Initial creation