medium2026-05-12SAP NetWeaverCVE-2026-40135

OS Command Injection in SAP NetWeaver Application Server ABAP

SAP NetWeaver Application Server ABAP

Our Take

Broad version coverage across virtually every BASIS release makes this universally relevant. Medium severity but the breadth of impact pushes it up the priority list. Next planned window.

Vulnerability Detail

OS command injection vulnerability in SAP NetWeaver AS ABAP affecting an extremely broad range of BASIS versions. Allows execution of operating system commands under specific conditions.

Patch Action

Apply SAP Note 3730019.

Affected Versions

SAP_BASIS 700–758

816

918

Patch Info

CVSS Score

6.5

SAP Note

3730019 ↗

CVE

CVE-2026-40135

Published

2026-05-12

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches