CVE-2026-40128
Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)
CVSS Score
9.0
EPSS Score
0.1%
EPSS Percentile
27th
SAP NetWeaver Application Server Java (Web Container) allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. Processing the included file could allow the attacker to view or modify sensitive information or render any part of the local system unavailable.
| Vendor | sap_se |
| Product | sap netweaver application server java (web container) |
| Published | Jun 9, 2026 |
| Last Updated | Jun 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for sap_se sap netweaver application server java (web container)
Be the first to know when new critical vulnerabilities affecting sap_se sap netweaver application server java (web container) are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
SAP_SE / SAP NetWeaver Application Server Java (Web Container)
ENGINEAPI 7.50