Code Injection in SAP NetWeaver AS Java Web Dynpro (CVE-2026-27674)
CVE-2026-27674 Published on April 14, 2026
Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)
Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victims browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability.
Vulnerability Analysis
CVE-2026-27674 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-27674 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-27674
Want to know whenever a new CVE is published for SAP Netweaver Application Server Java? stack.watch will email you.
