CVE-2026-0507 OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK

🗓️ 13 Jan 2026 01:15:36Reported by sapType

Authenticated admin can upload crafted content to SAP ABAP server, enabling OS command execution.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2026-0507	13 Jan 202603:00	–	circl
CNNVD	SAP Application Server for ABAP 操作系统命令注入漏洞	13 Jan 202600:00	–	cnnvd
CVE	CVE-2026-0507	13 Jan 202601:15	–	cve
EUVD	EUVD-2026-2380	13 Jan 202601:15	–	euvd
NCSC	Vulnerabilities fixed in SAP products	13 Jan 202614:42	–	ncsc
NVD	CVE-2026-0507	13 Jan 202602:15	–	nvd
Positive Technologies	PT-2026-2341	13 Jan 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-0507	14 Jan 202601:22	–	redhatcve
Tenable Nessus	SAP NetWeaver Command Injection (January 2026)	16 Jan 202600:00	–	nessus
Vulnrichment	CVE-2026-0507 OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK	13 Jan 202601:15	–	vulnrichment

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP Application Server for ABAP and SAP NetWeaver RFCSDK",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "KRNL64UC 7.53"
      },
      {
        "status": "affected",
        "version": "NWRFCSDK 7.50"
      },
      {
        "status": "affected",
        "version": "KERNEL 7.53"
      },
      {
        "status": "affected",
        "version": "7.54"
      },
      {
        "status": "affected",
        "version": "7.77"
      },
      {
        "status": "affected",
        "version": "7.89"
      },
      {
        "status": "affected",
        "version": "7.93"
      },
      {
        "status": "affected",
        "version": "9.16"
      }
    ]
  }
]

Source	Link
me	www.me.sap.com/notes/3675151
url	www.url.sap/sapsecuritypatchday

13 Jan 2026 01:15Current

CVSS 3.18.4

EPSS0.01375

CWE-78