"The first critical security note released on SAP's February 2026 security patch day addresses CVE-2026-0488 (CVSS score of 9.9), a code injection bug in CRM and S/4HANA. Impacting the Scripting Editor component of the applications, the flaw can be exploited by authenticated attackers to execute arbitrary SQL statements. "A successful exploit can lead to a full compromise of the database with high impact on confidentiality, integrity, and availability of the application," enterprise application security firm Onapsis explains."
"The second critical security note that SAP released today resolves CVE-2026-0509 (CVSS score of 9.6), a missing authorization check in NetWeaver Application Server ABAP and ABAP Platform. "Under certain circumstances, an authenticated, low-privileged user can perform background remote function calls without the required S_RFC authorization," Onapsis explains. This month, SAP released seven new security notes that resolve high-severity security defects in NetWeaver, Supply Chain Management, Solution Tools Plug-In (ST-PI), BusinessObjects, and Commerce Cloud."
SAP released 27 new and updated security notes on its February 2026 patch day, including two critical flaws. CVE-2026-0488 (CVSS 9.9) is a code injection bug in CRM and S/4HANA's Scripting Editor that allows authenticated attackers to execute arbitrary SQL and potentially fully compromise databases. CVE-2026-0509 (CVSS 9.6) is a missing authorization check in NetWeaver Application Server ABAP and ABAP Platform that can let low-privileged authenticated users perform background remote function calls without S_RFC authorization. Seven high-severity fixes address NetWeaver, Supply Chain Management, ST-PI, BusinessObjects, and Commerce Cloud, including an XML signature wrapping issue. Additional medium- and low-severity fixes affect numerous SAP components.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]