Vulnerability intelligence

CVE-2026-27681

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.

CVSS Score

9.9

Critical

EPSS — Exploit Probability

0.1%

Riskier than 19% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

unknown

Check vendor advisories

NVD entry PoC / advisory

2 articles across 2 outlets · first covered Apr 14, 2026 · latest Apr 15, 2026

Coverage timeline

Exploiters target SAP SQLi and Adobe zero day flaws in April
thehackernews.com · Apr 15, 2026
SAP fixes critical SQLi in BW/BPC after April 2026 patch day
www.securityweek.com · Apr 14, 2026