CVE-2026-27674: 
SAP NetWeaver Application Server Java Analisi e mitigazione delle vulnerabilità

CVE-2026-27674 is a Code Injection vulnerability (CWE-94) in SAP NetWeaver Application Server Java, specifically the Web Dynpro Java component, that allows unauthenticated attackers to supply crafted input causing the application to reference attacker-controlled content. If a victim accesses the affected functionality, the attacker-controlled content can execute arbitrary client-side code in the victim's browser, potentially resulting in session compromise. The vulnerability affects SAP NetWeaver AS Java version 7.50 (WD-RUNTIME 7.50). It was published on April 14, 2026, and carries a CVSS v3.1 base score of 6.1 (Medium) (Github Advisory, SAP Security Notes).

The root cause is improper control of code generation (CWE-94), where the Web Dynpro Java component fails to neutralize or correctly sanitize externally-supplied input before it is interpreted by the application. An unauthenticated, network-based attacker can craft malicious input that causes the application to reference attacker-controlled content; when a victim user accesses the affected functionality, that content executes in their browser context — a behavior consistent with reflected cross-site scripting or client-side code injection. Exploitation requires user interaction (a victim must access the affected functionality), but no authentication or special privileges are needed on the attacker's side. The scope change in the CVSS vector indicates that the impact extends beyond the vulnerable component itself to the victim's browser session (Github Advisory, SAP Security Notes).

Successful exploitation allows an attacker to execute arbitrary client-side code in a victim's browser, potentially leading to session compromise, theft of session tokens or credentials, and unauthorized modification of application behavior as seen by the victim. The vulnerability impacts confidentiality and integrity at a low level (per CVSS), with no impact to availability. Because the scope is changed, the impact extends beyond the SAP NetWeaver AS Java component itself to the victim's browser environment, enabling data theft or manipulation of application interactions (Github Advisory).

SAP addressed this vulnerability as part of the April 2026 SAP Security Patch Day; organizations should apply SAP Security Note 3719397, which contains the official patch for SAP NetWeaver AS Java (Web Dynpro Java) version 7.50 (SAP Security Notes, Github Advisory). As interim mitigations, organizations should restrict access to Web Dynpro Java functionality to trusted users and networks where operationally feasible, implement input validation and output encoding controls at the application or WAF layer, and educate users about phishing attacks that could be used to deliver malicious URLs targeting this vulnerability (Onapsis Blog).

The vulnerability was covered as part of broader SAP April 2026 Patch Day reporting by several security outlets. Onapsis published an analysis of the April 2026 SAP Security Notes, and SecurityBridge covered the patch day as well (Onapsis Blog, SecurityBridge). GBHackers and SecurityOnline.info also reported on the broader SAP patch day, noting critical flaws addressed alongside this moderate-severity issue (GBHackers, SecurityOnline). No significant independent researcher commentary or social media discussion specific to CVE-2026-27674 has been observed.