{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27675", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-02-23T17:50:10.513Z", "datePublished": "2026-04-14T00:07:01.278Z", "dateUpdated": "2026-04-14T13:14:18.764Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:01.278Z"}, "title": "Code Injection vulnerability in SAP Landscape Transformation", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Landscape Transformation", "versions": [{"status": "affected", "version": "DMIS 2011_1_700"}, {"status": "affected", "version": "2011_1_710"}, {"status": "affected", "version": "2011_1_730"}, {"status": "affected", "version": "2011_1_731"}, {"status": "affected", "version": "2011_1_752"}, {"status": "affected", "version": "2020"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3723097"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 2, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27675", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:55:15.514456Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:14:18.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27675", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T12:55:15.514456Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:09:18.783Z"}}], "cna": {"title": "Code Injection vulnerability in SAP Landscape Transformation", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Landscape Transformation", "versions": [{"status": "affected", "version": "DMIS 2011_1_700"}, {"status": "affected", "version": "2011_1_710"}, {"status": "affected", "version": "2011_1_730"}, {"status": "affected", "version": "2011_1_731"}, {"status": "affected", "version": "2011_1_752"}, {"status": "affected", "version": "2020"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3723097"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted.", "supportingMedia": [{"type": "text/html", "value": "<p>SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-04-14T00:07:01.278Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27675", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:14:18.764Z", "dateReserved": "2026-02-23T17:50:10.513Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-04-14T00:07:01.278Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted."}], "id": "CVE-2026-27675", "lastModified": "2026-04-14T00:16:05.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 1.4, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-04-14T00:16:05.823", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3723097"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "DMIS 2011_1_700"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2011_1_710"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2011_1_730"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2011_1_731"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2011_1_752"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2020"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4CORE 102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "103"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "104"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "105"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "106"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "107"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "108"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "109"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "SAP Landscape Transformation", "source": "cna", "vendor": "SAP_SE"}, "product": "landscape_transformation", "vendor": "sap"}], "analysis": {"en": {"generated_at": "2026-04-14T01:51:18.209822+00:00", "value": {"mitigation_remediation": ["Apply the patch or update referenced in SAP Note 3723097 to all affected SAP Landscape Transformation instances.", "If a patch is not yet available, restrict the vulnerable RFC function module to trusted users and enforce network segmentation to limit exposure.", "Monitor ABAP execution logs and other system activity to detect abnormal code execution or unauthorized changes."], "summary": {"action": "Patch", "impact": "Low integrity impact"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the SAP Landscape Transformation product from SAP SE. No specific product versions are listed, so administrators should verify whether their installations are covered by this issue.", "description_and_impact": "An RFC\u2011exposed function module in SAP Landscape Transformation allows a high privileged user to inject arbitrary ABAP code and operating\u2011system commands. The injected code can alter system behavior, but the attacker cannot fully control what changes occur; the result is limited primarily to integrity with no direct impact on confidentiality or availability.", "risk_and_exploitability": "The CVSS score of 2 indicates a low severity assessment. EPSS information is not available and the vulnerability is not in the CISA KEV catalog. The attack vector is inferred to be a remote interaction via the exposed RFC function, requiring a high\u2011privileged account. The combination of low severity and high privilege requirement leads to a low overall risk, yet the availability of an exploitation path warrants patching to prevent potential integrity violations."}}}}, "created": "2026-04-14T16:16:31.168509+00:00", "updated": "2026-04-14T16:31:27.685300+00:00", "vendors": ["sap", "sap$PRODUCT$landscape_transformation"]}