CVE-2026-23686
EUVD-2026-646110.02.2026, 04:16
Due to a CRLF Injection vulnerability in SAP NetWeaver Application Server Java, an authenticated attacker with administrative access could submit specially crafted content to the application. If processed by the application, this content enables injection of untrusted entries into generated configuration, allowing manipulation of application-controlled settings. Successful exploitation leads to a low impact on integrity, while confidentiality and availability remain unaffected.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| sap | netweaver_application_server_java | 7.50 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')The software receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
- CWE-436 - Interpretation ConflictProduct A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.