- 4/2026
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products, such as SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger), SAP Wily Introscope Enterprise Manager (WorkStation), SAP S/4HANA (Private Cloud and On-Premise), SAP Landscape Transformation, SAP HANA database, SAP Application Server for ABAP and SAP NetWeaver RFCSDK, SAP Fiori App, SAP NetWeaver Application Server ABAP and ABAP Platform, SAP ERP Central Component and SAP S/4HANA (SAP EHS Management).
The remote attacker could exploit some of these vulnerabilities to gain elevated privileges, bypass security restrictions, manipulate data, conduct cross-site scripting and cross-site request forgery attacks, obtain sensitive information, execute arbitrary commands, and gain access to the affected product.
Sample of the addressed vulnerabilities:
1. SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) SQL Injection Vulnerability (CVE-2026-0501):
- CVSS: 9.9
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Data Manipulation
2. SAP Wily Introscope Enterprise Manager (WorkStation) Remote Code Execution Vulnerability (CVE-2026-0500):
- CVSS: 9.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Access
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.