SQL Injection Vulnerability in SAP NetWeaver Feedback Notifications Service
CVE-2026-27684

6.4MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver (feedback Notification)
Vendor: CVE Published:; 10 March 2026

What is CVE-2026-27684?

The SAP NetWeaver Feedback Notifications Service is susceptible to a SQL injection vulnerability that arises from improper handling of user inputs. An authenticated attacker can exploit this flaw by injecting arbitrary SQL commands through input fields directly, as the application fails to validate or escape these inputs before integrating them into SQL queries. This could allow unauthorized access to or modification of database information, thereby posing a significant risk to the application's security posture.

Affected Version(s)

SAP NetWeaver (Feedback Notification) SAP_ABA 700

SAP NetWeaver (Feedback Notification) 701

SAP NetWeaver (Feedback Notification) 702

References

https://me.sap.com/notes/3697355

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 10, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27684 Data

JSON