SAP’s monthly bulletin is a remediation guide for vulnerabilities identified in SAP products, with an explicit recommendation to review the Support Portal and apply patches promptly to protect the SAP landscape.
The highest-risk issue identified is CVE-2026-0488, a code-injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) that allows authenticated, low-privilege users to inject and execute arbitrary code with cross-scope impact, and is associated with SAP Note 3697099 (CVSS 9.9).
From an attack-chain perspective, this class of flaw is especially dangerous in SAP landscapes because it can convert “business user” access into application-layer execution, enabling lateral movement into tightly coupled modules and integrations.
A second critical item, CVE-2026-0509, is a missing authorization check in SAP NetWeaver Application Server ABAP / ABAP Platform that can enable low-privilege authenticated users to bypass authorization controls (SAP Note 3674774; CVSS 9.6).
Among the high-severity set, CVE-2026-23687 (XML Signature Wrapping) in SAP NetWeaver AS ABAP / ABAP Platform is highlighted as a risk for signature-manipulation scenarios that can undermine trust decisions in XML-based flows.
Availability also features prominently: CVE-2026-23689 affects SAP Supply Chain Management and is described as uncontrolled resource consumption, where an authenticated user can repeatedly invoke a remote-enabled function module using an excessively large loop-control parameter, exhausting system resources until the service becomes unavailable.
| CVE ID | Note # | Severity | CVSS | Product | Title |
|---|---|---|---|---|---|
| CVE-2026-0488 | 3697099 | Critical | 9.9 | SAP CRM & S/4HANA (Scripting Editor) | Code Injection vulnerability |
| CVE-2026-0509 | 3674774 | Critical | 9.6 | SAP NetWeaver AS ABAP & ABAP Platform | Missing Authorization check |
| CVE-2026-23687 | 3697567 | High | 8.8 | SAP NetWeaver AS ABAP & ABAP Platform | XML Signature Wrapping |
| CVE-2026-23689 | 3703092 | High | 7.7 | SAP Supply Chain Management | Denial of Service (DOS) |
| CVE-2026-24322 | 3705882 | High | 7.7 | SAP Solution Tools Plug-In (ST-PI) | Missing Authorization check |
| CVE-2026-0490 | 3654236 | High | 7.5 | SAP BusinessObjects BI Platform | Denial of Service (DOS) |
| CVE-2026-0485 | 3678282 | High | 7.5 | SAP BusinessObjects BI Platform | Denial of Service (DOS) |
| CVE-2025-12383 | 3692405 | High | 7.4 | SAP Commerce Cloud | Race Condition |
| CVE-2026-0508 | 3674246 | High | 7.3 | SAP BusinessObjects BI Platform | Open Redirect vulnerability |
| CVE-2026-0484 | 3672622 | Medium | 6.5 | SAP NetWeaver AS ABAP & S/4HANA | Missing Authorization check |
| CVE-2026-24324 | 3695912 | Medium | 6.5 | SAP BusinessObjects BI Platform (AdminTools) | Denial of Service (DOS) |
| CVE-2026-0505, CVE-2026-24323 | 3678417 | Medium | 6.1 | SAP Document Management System | Multiple vulnerabilities in BSP Applications |
| CVE-2026-24328 | 3688319 | Medium | 6.1 | BSP Application (TAF_APPLAUNCHER) | Open Redirection vulnerability |
| CVE-2025-0059 | 3503138 | Medium | 6.0 | SAP NetWeaver AS ABAP (SAP GUI for HTML) | Information Disclosure (Update to Jan 2025 Note) |
| CVE-2026-23684 | 3689543 | Medium | 5.9 | SAP Commerce Cloud | Race condition vulnerability |
| CVE-2026-24319 | 3679346 | Medium | 5.8 | SAP Business One (B1 Client Memory Dump) | Information Disclosure Vulnerability |
| CVE-2026-24321 | 3687771 | Medium | 5.3 | SAP Commerce Cloud | Information Disclosure vulnerability |
| CVE-2026-24312 | 3710111 | Medium | 5.2 | SAP Business Workflow | Missing authorization check |
| CVE-2026-0486 | 3691645 | Medium | 5.0 | ABAP based SAP systems | Missing Authorization Check |
| CVE-2026-24325 | 3697256 | Medium | 4.8 | SAP BusinessObjects Enterprise (CMC) | Cross-Site Scripting (XSS) |
| CVE-2026-23685 | 3687285 | Medium | 4.4 | SAP NetWeaver (JMS service) | Insecure Deserialization |
| CVE-2026-23688 | 3215823 | Medium | 4.3 | SAP Fiori App (Manage Service Entry Sheets) | Missing Authorization check |
| CVE-2026-23681 | 3680416 | Medium | 4.3 | SAP Support Tools Plug-In | Missing Authorization check in function module |
| CVE-2026-24326 | 3678009 | Medium | 4.3 | SAP S/4HANA Defense & Security | Missing authorization check |
| CVE-2026-24327 | 3680390 | Medium | 4.3 | SAP Strategic Ent. Mgmt (Balanced Scorecard) | Missing Authorization Check |
| CVE-2026-23686 | 3673213 | Low | 3.4 | SAP NetWeaver AS Java | CRLF Injection vulnerability |
| CVE-2026-24320 | 3678313 | Low | 3.1 | SAP NetWeaver & ABAP Platform (AS ABAP) | Memory Corruption vulnerability |
The same Patch Day coverage also flags multiple denial-of-service and redirect/XSS-style issues in SAP BusinessObjects BI Platform and related components, reinforcing that externally reachable or user-facing endpoints deserve extra scrutiny during triage.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post SAP Security Patch Day – Critical SAP CRM and SAP S/4HANA Code Injection Vulnerabilities Fixed appeared first on Cyber Security News.
Warning: This review contains full spoilers for The Pitt Season 2, Episode 10!The best episodes…
Apple recently released its newest budget smartphone - the Apple iPhone 17e - on March…
Blight: Survival has reemerged with a new gameplay trailer — and its developers are promising…
Bluetti is well known for its high quality yet affordable power stations and solar generators.…
There’s something endlessly endearing about a good-natured dummy. Just a happy, optimistic doofus that can…
(KTAB/KRBC) - The Sweetwater Rattlesnake Roundup Parade for 2026 is taking place at 4:30 p.m.,…
This website uses cookies.