CVE-2026-27671 – SAP NetWeaver / Spring Security
“These critical patches close serious paths to data exposure, service disruption, and platform compromise.”
SAP and VMware patched four Critical vulnerabilities across SAP NetWeaver, ABAP Platform, SAP NetWeaver Application Server Java, and Spring Security. CVE-2026-44748 has a CVSS score of 9.9, which is Critical severity. CVE-2026-27671 has a CVSS score of 9.8, which is Critical severity. CVE-2026-22732 has a CVSS score of 9.1, which is Critical severity. CVE-2026-40128 has a CVSS score of 9.0, which is Critical severity.
The SAP vulnerabilities cover signed XML tampering, improper RFC protocol validation, and path traversal through malicious HTTP logon requests. These issues can lead to unauthorized access, memory corruption, data exposure, and service disruption. The Spring Security issue can prevent expected HTTP security headers from being written. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.
Key Details
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-121