CVE-2016-2386 — SAP NetWeaver

SAP NetWeaver SQL Injection Vulnerability

Added to KEV

2022-06-09

Federal due date

2022-06-30

Vendor

SAP

Product

NetWeaver

EPSS

97.6th percentile (score 0.445, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Unknown

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2016-2386

CISA short description

SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Required action

Apply updates per vendor instructions.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.