- 174/2026
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products, including SAP NetWeaver AS ABAP, SAP Commerce Cloud, SAP Data Hub, SAP NetWeaver Application Server Java (Web Container), ODP Data Replication APIs, SAP S/4HANA, SAP NetWeaver AS Java (JDBC Test Servlet), SAP Wily Introscope Enterprise Manager, SAP Business Objects Business Intelligence Platform, SAP Fiori (launchpad).
The addressed vulnerabilities could allow the attacker to perform cross-site scripting, denial-of-service, and email spoofing attacks, obtain sensitive information, gain elevated privileges, manipulate data, or execute arbitrary code, and gain unauthorized access to the affected systems.
Sample of the addressed vulnerabilities:
1. SAP NetWeaver AS ABAP and ABAP Platform XML Signature Wrapping in SAML Authentication Vulnerability (CVE-2026-44748):
- CVSS: 9.9
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
2. SAP NetWeaver Application Server Java (Web Container) Directory Traversal Vulnerability (CVE-2026-40128):
- CVSS: 9
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Consequences: File Manipulation
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.