SAP Patch Day Fixes Critical SQL Injection, DoS, and Code Injection Flaws

SAP has announced its April 2026 Security Patch Day, releasing 19 new security notes and one update to a previously issued advisory.

The update addresses several severe flaws, including critical SQL injection, denial of service (DoS), and code injection vulnerabilities.

According to SAP’s official Support Portal, the fixes are essential to protect enterprise infrastructure from potential exploitation.

Critical and High-Severity Vulnerabilities

The most significant patch this month is for CVE-2026-27681, a critical SQL injection vulnerability affecting SAP Business Planning and Consolidation and SAP Business Warehouse.

Rated with a CVSS score of 9.9, this flaw could allow attackers to run arbitrary database queries, potentially compromising sensitive information and system integrity.

Another major risk, CVE-2026-34256, involves a missing authorization check impacting SAP ERP and SAP S/4HANA environments.

With a CVSS score of 7.1, this vulnerability could enable unauthorized users to perform restricted actions in both private cloud and on‑premise deployments.

SAP urges administrators to apply Security Note 3719353 immediately to address the SQL injection vulnerability and to check the updated November 2025 patch for S4CORE authorization checks.

Medium and Low-Severity Vulnerabilities

SAP also resolved several medium‑severity issues across its product suite. Notable among them:

• CVE-2025-64775 – Denial of Service in SAP BusinessObjects Business Intelligence Platform (CVSS 6.5), which could disrupt reporting and analytics operations.
• CVE-2026-27674 – Code Injection in SAP NetWeaver Application Server Java, fixed to block remote execution attempts.
• CVE-2026-0512 – Cross‑Site Scripting (XSS) in SAP Supplier Relationship Management, now mitigated to prevent client‑side injection attacks.
• CVE-2026-34264 – Information Disclosure in SAP Human Capital Management and SAP HANA Cockpit, patched to secure sensitive employee and database data.
• CVE-2026-27675 – Code Injection in SAP Landscape Transformation, a low‑severity flaw addressed to prevent unauthorized OS command execution.

SAP emphasizes the prompt installation of all updates to strengthen system defenses against exploitation.

Administrators should:

• Review all detailed security notes on the SAP Support Portal to understand affected versions.
• Apply all relevant patches for ERP, S/4HANA, BusinessObjects, and NetWeaver environments.
• Validate access controls and authorization policies impacted by recent fixes.

With multiple vulnerabilities patched across core SAP modules, this release underscores the growing need for continuous patch management within enterprise environments.

Security and incident response teams must act swiftly to apply these critical updates and maintain operational resilience against evolving cyber threats.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post SAP Patch Day Fixes Critical SQL Injection, DoS, and Code Injection Flaws appeared first on Cyber Security News.