How severe is CVE-2026-27681?

Critical severity. CVSS v3 base score is 9.9 out of 10.

SQL Injection in Sap_se Sap Business Planning And Consolidation Warehouse

CVE-2026-27681

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact…

Vulnerability class: SQL Injection

EPSS: 0.001 (19.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Sap_se Sap Business Planning And Consolidation Warehouse — versions HANABPC 810, BPC4HANA 300, SAP_BW 750

Weakness classification (CWE)

CWE-89 — SQL Injection

References

Frequently asked questions

What is CVE-2026-27681?: CVE-2026-27681 is a critical-severity vulnerability in Sap_se Sap Business Planning And Consolidation Warehouse, classified under SQL Injection. CVSS score: 9.9/10. Published 2026-04-14.
How severe is CVE-2026-27681?: Critical severity. CVSS v3 base score is 9.9 out of 10.