SAP released 17 new security notes on January 13, 2026, addressing vulnerabilities affecting widely deployed enterprise systems.
The patch day includes four critical-severity flaws spanning SQL injection, remote code execution, and code injection attacks that could allow authenticated and unauthenticated threat actors to compromise SAP environments.
The most severe vulnerabilities target core SAP infrastructure. CVE-2026-0501 exploits a SQL injection flaw in SAP S/4HANA’s General Ledger module (CVSS 9.9), allowing authenticated attackers to execute arbitrary SQL queries and compromise the integrity of financial data.
The vulnerability affects S4CORE versions 102 through 109 across both private cloud and on-premise deployments.
A remote code execution flaw in SAP Wily Introscope Enterprise Manager (CVE-2026-0500, CVSS 9.6) requires only user interaction to trigger and affects version 10.8.
This vulnerability could enable attackers to gain system-level access without authentication, posing a significant risk to enterprise monitoring infrastructure.
| CVE ID | Vulnerability Type | Affected Product | CVSS Score | Severity |
|---|---|---|---|---|
| CVE-2026-0501 | SQL Injection | SAP S/4HANA (General Ledger) | 9.9 | Critical |
| CVE-2026-0500 | Remote Code Execution | SAP Wily Introscope Enterprise Manager | 9.6 | Critical |
| CVE-2026-0498 | Code Injection | SAP S/4HANA (Private Cloud/On-Premise) | 9.1 | Critical |
| CVE-2026-0491 | Code Injection | SAP Landscape Transformation | 9.1 | Critical |
| CVE-2026-0492 | Privilege Escalation | SAP HANA Database | 8.8 | High |
| CVE-2026-0507 | OS Command Injection | SAP Application Server ABAP/NetWeaver RFCSDK | 8.4 | High |
| CVE-2026-0511 | Multiple Vulnerabilities | SAP Fiori App (Intercompany Balance Reconciliation) | 8.1 | High |
| CVE-2026-0506 | Missing Authorization Check | SAP NetWeaver Application Server ABAP | 8.1 | High |
| CVE-2026-0503 | Missing Authorization Check | SAP ERP/S/4HANA (EHS Management) | 6.4 | Medium |
| CVE-2026-0499 | Cross-Site Scripting (XSS) | SAP NetWeaver Enterprise Portal | 6.1 | Medium |
| CVE-2026-0514 | Cross-Site Scripting (XSS) | SAP Business Connector | 6.1 | Medium |
| CVE-2026-0513 | Open Redirect | SAP Supplier Relationship Management | 4.7 | Medium |
| CVE-2026-0494 | Information Disclosure | SAP Fiori App (Intercompany Balance Reconciliation) | 4.3 | Medium |
| CVE-2026-0493 | Cross-Site Request Forgery (CSRF) | SAP Fiori App (Intercompany Balance Reconciliation) | 4.3 | Medium |
| CVE-2026-0497 | Missing Authorization Check | Business Server Pages Application | 4.3 | Medium |
| CVE-2026-0504 | Insufficient Input Handling | SAP Identity Management | 3.8 | Low |
| CVE-2026-0510 | Obsolete Encryption Algorithm | NW AS Java UME User Mapping | 3.0 | Low |
Code injection vulnerabilities have surfaced in both SAP S/4HANA (CVE-2026-0498, CVSS 9.1) and SAP Landscape Transformation (CVE-2026-0491, CVSS 9.1), though they require high-privilege authentication.
The HANA privilege escalation flaw (CVE-2026-0492, CVSS 8.8) and OS command injection in Application Server components (CVE-2026-0507, CVSS 8.4) round out the high-severity threats.
Application-level vulnerabilities include multiple authorization bypasses and cross-site attacks affecting Fiori applications, NetWeaver components, and enterprise portal infrastructure.
Missing authorization checks in NetWeaver Application Server (CVE-2026-0506, CVSS 8.1) and EHS Management systems (CVE-2026-0503, CVSS 6.4) could allow privilege escalation through authenticated access.
Cross-site scripting flaws have been identified in the Enterprise Portal (CVE-2026-0499, CVSS 6.1) and the Business Connector (CVE-2026-0514, CVSS 6.1).
In contrast, cross-site request forgery affects Fiori’s Intercompany Balance Reconciliation app (CVE-2026-0493, CVSS 4.3).
SAP strongly recommends customers prioritize patching these vulnerabilities immediately, particularly the critical-severity flaws affecting S/4HANA and Wily Introscope.
Organizations should consult SAP’s support portal for patch availability and deployment guidance specific to their installed versions and system configurations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.