SAP NetWeaver Feedback Notifications Service SQL Injection Vulnerability
Vulnerability
A SQL injection vulnerability has been identified in the SAP NetWeaver Feedback Notifications Service. This vulnerability allows authenticated attackers to inject arbitrary SQL code through user-controlled input fields. The application improperly validates or escapes these inputs, directly concatenating them into SQL queries. As a result, attackers can manipulate the WHERE clause logic, potentially gaining unauthorized access to or modifying database information. This vulnerability has a low impact on the application's confidentiality and availability, with no impact on integrity.
Impact
Exploitation of this vulnerability allows for SQL injection, enabling attackers to manipulate database queries. This could lead to unauthorized access to or modification of database information.
Remediation
Users are advised to consult the SAP Security Notes for guidance on applying patches or updates. SAP Security Notes can be accessed through the SAP for Me platform. For detailed information on the vulnerability and its implications, refer to the January 2026 SAP Security Patch Day Bulletin.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.