Description
SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these inputs directly into SQL queries without proper validation or escaping. As a result, an attacker can manipulate the WHERE clause logic and potentially gain unauthorized access to or modify database information. This vulnerability has no impact on integrity and low impact on the confidentiality and availability of the application.
Published: 2026-03-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection (Authenticated)
Action: Patch
AI Analysis

Impact

The vulnerability lies in the SAP NetWeaver Feedback Notifications Service, where user-controlled fields are concatenated directly into SQL queries without validation. An attacker who has authenticated to the application can inject arbitrary SQL, altering the SELECT WHERE clause. Consequently, the attacker may read, modify, or delete data in the underlying database. The description indicates that the flaw does not affect data integrity and has only a low impact on confidentiality and availability.

Affected Systems

SAP NetWeaver Feedback Notification service is impacted. No specific version information is supplied, implying that the flaw may exist in all releases covered by SAP Note 3697355 until the patch is applied.

Risk and Exploitability

The CVSS score of 6.4 classifies the flaw as moderate risk, yet the EPSS score is below 1%, suggesting that exploitation attempts are unlikely at present. The vulnerability is not listed in the CISA KEV catalog, supporting a lower threat level. Attackers would need authenticated access to the application and must supply crafted input to manipulate SQL queries. Because the flaw is confined to authenticated users, the attack surface is limited, though still significant for internal actors or compromised accounts.

Generated by OpenCVE AI on April 16, 2026 at 09:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch referenced in SAP Note 3697355 to eliminate the SQL injection code path.
  • Restrict or remove write permissions for the Feedback Notification service user to minimize the blast radius if the flaw remains unpatched.
  • Implement input validation and parameterized queries for any future feature development within the Feedback Notification module, following best practice against CWE-89 weaknesses.

Generated by OpenCVE AI on April 16, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Netweaver (feedback Notification)
Vendors & Products Sap Se
Sap Se sap Netweaver (feedback Notification)

Tue, 10 Mar 2026 00:45:00 +0000

Type Values Removed Values Added
Description SAP NetWeaver Feedback Notifications Service contains a SQL injection vulnerability that allows an authenticated attacker to inject arbitrary SQL code through user-controlled input fields. The application concatenates these inputs directly into SQL queries without proper validation or escaping. As a result, an attacker can manipulate the WHERE clause logic and potentially gain unauthorized access to or modify database information. This vulnerability has no impact on integrity and low impact on the confidentiality and availability of the application.
Title SQL Injection Vulnerability in SAP NetWeaver (Feedback Notification)
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L'}

Subscriptions

Sap Se Sap Netweaver (feedback Notification)
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-03-10T16:53:00.603Z

Reserved: 2026-02-23T17:50:17.028Z

Link: CVE-2026-27684

cve-icon Vulnrichment

Updated: 2026-03-10T15:36:03.323Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-10T17:38:10.767

Modified: 2026-03-11T13:53:47.157

Link: CVE-2026-27684

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses