SAP Security Notes - 06/26 - SecurityBridge Cloud

.no-js-class { display: none; } body { background-color: #fff; }

No JavaScript!

It seems your browser does not support JavaScript or it was disable by purpose! We use JavaScript to improve the user experience. Please consider enabling it for a better usability.

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.

×

Yikes, there is work to do!
This time we found critical correction advisiories. We count 21 and the highest CVSS score is 10.0.

Severity

SAP© Security advisories 21

System Types

Affected SAP© system types

3747787

CVSS

10.0

Affected system type BTP

Patchday 2026-06

Released on 2026/04/29

Description 3747787 - Malicious open-source packages in SAP Cloud Application Programming Model & MTA Build Tool

Security Advisory

3746332

CVSS

9.9

Affected system type ABAP

Patchday 2026-06

Released on 2026/06/09

Description 3746332 - [CVE-2026-44748] XML Signature Wrapping in SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform

Security Advisory

3717897

CVSS

9.8

Affected system type Kernel / ABAP

Patchday 2026-06

Released on 2026/06/09

Description 3717897 - [CVE-2026-27671] Memory Corruption vulnerability in Application Server ABAP of SAP NetWeaver and ABAP Platform

Security Advisory

3733064

CVSS

9.6

Affected system type SAP Commerce Cloud

Patchday 2026-06

Released on 2026/05/12

Description 3733064 - [CVE-2026-34263] Missing authentication check in SAP Commerce Cloud configuration

Security Advisory

3748262

CVSS

9.1

Affected system type SAP Commerce Cloud

Patchday 2026-06

Released on 2026/06/09

Description 3748262 - [CVE-2026-22732] Potential Spring Security vulnerability within SAP Commerce Cloud and SAP Data Hub

Security Advisory

3727078

CVSS

9.0

Affected system type Java

Patchday 2026-06

Released on 2026/06/09

Description 3727078 - [CVE-2026-40128] Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)

Security Advisory

3732471

CVSS

8.2

Affected system type ABAP

Patchday 2026-06

Released on 2026/05/12

Description 3732471 - [CVE-2026-34259] OS Command Injection Vulnerability in SAP Forecasting & Replenishment

Security Advisory

3747484

CVSS

7.4

Affected system type SAP Commerce Cloud

Patchday 2026-06

Released on 2026/06/09

Description 3747484 - [CVE-2026-29145] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud

Security Advisory

3735546

CVSS

7.1

Affected system type ABAP

Patchday 2026-06

Released on 2026/06/09

Description 3735546 - [CVE-2026-44751] Missing Authorization check in Application Server ABAP of SAP NetWeaver and ABAP Platform

Security Advisory

3748819

CVSS

6.6

Affected system type ABAP

Patchday 2026-06

Released on 2026/06/09

Description 3748819 - [CVE-2026-44754] Missing caller identification check-in for ODP Data Replication APIs

Security Advisory

3751691

CVSS

6.5

Affected system type ABAP

Patchday 2026-06

Released on 2026/06/09

Description 3751691 - [CVE-2026-44744] SQL Injection vulnerability in SAP S/4HANA

Security Advisory

3723655

CVSS

6.1

Affected system type Java

Patchday 2026-06

Released on 2026/06/09

Description 3723655 - [CVE-2026-44746] Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS Java (JDBC Test Servlet)

Security Advisory

3692004

CVSS

6.1

Affected system type ABAP

Patchday 2026-06

Released on 2026/04/14

Description 3692004 - [CVE-2026-34257] Open Redirect vulnerability in SAP NetWeaver Application Server ABAP

Security Advisory

3715280

CVSS

4.7

Affected system type SAP Solution Manager

Patchday 2026-06

Released on 2026/06/09

Description 3715280 - [CVE-2026-44757] Cross-Site Scripting (XSS) vulnerability in SAP Wily Introscope Enterprise Manager

Security Advisory

3673181

CVSS

4.3

Affected system type ABAP

Patchday 2026-06

Released on 2026/06/09

Description 3673181 - [CVE-2026-44750] Missing Authorization check in SAP MDG (Review Match Groups Application)

Security Advisory

3433366

CVSS

4.3

Affected system type ABAP

Patchday 2026-06

Released on 2026/05/26

Description 3433366 - [CVE-2026-44749] Information Disclosure vulnerability in SAP Gateway

Security Advisory

3718508

CVSS

4.3

Affected system type ABAP

Patchday 2026-06

Released on 2026/05/12

Description 3718508 - [CVE-2026-40134] Missing Authorization Check in SAP Incentive and Commission Management

Security Advisory

3687096

CVSS

4.3

Affected system type BI/BO platform

Patchday 2026-06

Released on 2026/06/09

Description 3687096 - [CVE-2026-44755] Email Spoofing vulnerability in SAP Business Objects Business Intelligence Platform

Security Advisory

3682699

CVSS

4.2

Affected system type SAP Fiori

Patchday 2026-06

Released on 2026/06/09

Description 3682699 - [CVE-2026-24315] Path Traversal Vulnerability in SAP Fiori (launchpad)

Security Advisory

3706000

CVSS

3.7

Affected system type BI/BO platform

Patchday 2026-06

Released on 2026/06/09

Description 3706000 - [CVE-2026-44743] Security Misconfiguration vulnerability in SAP Business Objects

Security Advisory

3726899

CVSS

3.3

Affected system type Java

Patchday 2026-06

Released on 2026/06/09

Description 3726899 - [CVE-2025-68161] Potential vulnerability in Apache Log4j library used by SAP NetWeaver AS Java

Security Advisory