The patch day includes four critical-severity flaws, including SQL injection, remote code execution, and code injection, that can compromise SAP environments via both authenticated and unauthenticated attack vectors.
The January patch cycle addresses several severe vulnerabilities targeting SAP’s core infrastructure.
CVE-2026-0501 is the highest-severity flaw: a SQL injection vulnerability in SAP S/4HANA’s General Ledger module, with a CVSS score of 9.9.
This vulnerability allows authenticated attackers to execute arbitrary SQL queries, directly compromising the integrity of financial data across S4CORE versions 102 through 109 in both private cloud and on-premise environments.
A critical remote code execution vulnerability in SAP Wily Introscope Enterprise Manager (CVE-2026-0500, CVSS 9.6) requires only minimal user interaction to trigger exploitation.
This flaw enables attackers to gain system-level access without authentication, presenting a substantial risk to enterprise monitoring infrastructure in version 10.8 deployments.
Code injection vulnerabilities have been reported in both SAP S/4HANA (CVE-2026-0498, CVSS 9.1) and SAP Landscape Transformation (CVE-2026-0491, CVSS 9.1), though both require high-privilege authentication.
The HANA privilege escalation vulnerability (CVE-2026-0492, CVSS 8.8) and OS command injection in Application Server components (CVE-2026-0507, CVSS 8.4) complete the high-severity threat landscape.
| CVE ID | Vulnerability Type | Affected Product | CVSS Score | Severity |
|---|---|---|---|---|
| CVE-2026-0501 | SQL Injection | SAP S/4HANA (General Ledger) | 9.9 | Critical |
| CVE-2026-0500 | Remote Code Execution | SAP Wily Introscope Enterprise Manager | 9.6 | Critical |
| CVE-2026-0498 | Code Injection | SAP S/4HANA (Private Cloud/On-Premise) | 9.1 | Critical |
| CVE-2026-0491 | Code Injection | SAP Landscape Transformation | 9.1 | Critical |
| CVE-2026-0492 | Privilege Escalation | SAP HANA Database | 8.8 | High |
| CVE-2026-0507 | OS Command Injection | SAP Application Server ABAP/NetWeaver RFCSDK | 8.4 | High |
| CVE-2026-0511 | Multiple Vulnerabilities | SAP Fiori App (Intercompany Balance Reconciliation) | 8.1 | High |
| CVE-2026-0506 | Missing Authorization Check | SAP NetWeaver Application Server ABAP | 8.1 | High |
| CVE-2026-0503 | Missing Authorization Check | SAP ERP/S/4HANA (EHS Management) | 6.4 | Medium |
| CVE-2026-0499 | Cross-Site Scripting (XSS) | SAP NetWeaver Enterprise Portal | 6.1 | Medium |
| CVE-2026-0514 | Cross-Site Scripting (XSS) | SAP Business Connector | 6.1 | Medium |
| CVE-2026-0513 | Open Redirect | SAP Supplier Relationship Management | 4.7 | Medium |
| CVE-2026-0494 | Information Disclosure | SAP Fiori App (Intercompany Balance Reconciliation) | 4.3 | Medium |
| CVE-2026-0493 | Cross-Site Request Forgery (CSRF) | SAP Fiori App (Intercompany Balance Reconciliation) | 4.3 | Medium |
| CVE-2026-0497 | Missing Authorization Check | Business Server Pages Application | 4.3 | Medium |
| CVE-2026-0504 | Insufficient Input Handling | SAP Identity Management | 3.8 | Low |
| CVE-2026-0510 | Obsolete Encryption Algorithm | NW AS Java UME User Mapping | 3.0 | Low |
Beyond the critical flaws, the patch cycle addresses multiple authorization-bypass vulnerabilities across NetWeaver Application Server (CVE-2026-0506, CVSS 8.1) and EHS Management systems (CVE-2026-0503, CVSS 6.4).
These authorization weaknesses could facilitate privilege escalation through authenticated access pathways.
Application-level vulnerabilities include cross-site scripting flaws in Enterprise Portal (CVE-2026-0499, CVSS 6.1) and Business Connector (CVE-2026-0514, CVSS 6.1), as well as cross-site request forgery affecting the Fiori Intercompany Balance Reconciliation app (CVE-2026-0493, CVSS 4.3).
Lower-severity vulnerabilities encompassing information disclosure, open redirects, and deprecated encryption implementations complete the vulnerability set.
SAP strongly recommends prioritizing patches addressing critical-severity vulnerabilities, particularly those affecting S/4HANA and Wily Introscope environments.
Organizations should consult SAP’s support portal for patch availability and deployment guidance tailored to their specific installed versions and system configurations.
Rapid remediation of these vulnerabilities is essential given their potential impact on core enterprise financial and monitoring systems.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post SAP Security Patch Day January 2026 Addresses Critical Injection and RCE Vulnerabilities appeared first on Cyber Security News.
Developer MoonPyre Studio introduces you to Hellforged, a new loot-focused bullet-hell extraction game that has…
Let’s get this out of the way: If it wasn’t already painfully obvious from the…
Netflix's Devil May Cry animated series Season 2 will see Dante come face-to-face with his…
50 Years Ago Big Y Foods, Inc., has set in motion the mechanism that apparently…
HOLYOKE — The man shot and killed on Sargeant Street Saturday night has been identified…
Overnight temperatures that dipped into the mid-20s are leaving some Pioneer Valley growers in a…
This website uses cookies.