SAP said the February 10, 2026 Patch Day delivered fixes across multiple SAP products and urged customers to apply patches with priority via the Support Portal to protect their SAP landscape.
The highest-risk item highlighted this month is CVE-2026-0488, described as a code injection vulnerability affecting SAP CRM and SAP S/4HANA (Scripting Editor) and tracked under SAP Note 3697099.
SAP reports this flaw carries a CVSS base score of 9.9 and can be abused by an authenticated attacker with low privileges to inject and execute arbitrary code.
SAP Security Patch Day
Code injection in an ERP or CRM environment can quickly become a business-wide incident because SAP systems often hold financial, customer, and supply chain data.
SAP notes CVE-2026-0488 can impact confidentiality, integrity, and availability, meaning the issue is not just about data exposure but also about the ability to change data or disrupt operations.
Because the attack is described as possible with low privileges (after login), defenders should assume compromised credentials could be enough to weaponize the bug.
Alongside CVE-2026-0488, SAP listed CVE-2026-0509 as another critical issue for SAP NetWeaver Application Server ABAP and ABAP Platform.
SAP links CVE-2026-0509 to SAP Note 3674774 and reports a CVSS 9.6 score, describing it as a missing authorization check that can enable low-privileged authenticated users to bypass authorization controls.
SAP also listed CVE-2026-23687 as a high-priority item, and RedRays reports it as an XML Signature Wrapping weakness (SAP Note 3697567) with CVSS 8.8.
Start by identifying where SAP CRM, SAP S/4HANA Scripting Editor, and NetWeaver AS ABAP components are deployed, then map them to the relevant SAP Notes called out for February 2026.
Treat the two critical entries (CVE-2026-0488 and CVE-2026-0509) as immediate patch candidates, because SAP classifies them as Critical and SAP frames them as high-impact issues.
After patching, review privileged access paths and monitor for unusual scripting activity or authorization failures that could indicate attempted exploitation.
| CVE | SAP priority (Patch Day list) | Affected product (summary) | CVSS (reported) |
|---|---|---|---|
| CVE-2026-0488 | Critical | SAP CRM, SAP S/4HANA (Scripting Editor) | 9.9 |
| CVE-2026-0509 | Critical | SAP NetWeaver AS ABAP, ABAP Platform | 9.6 |
| CVE-2026-23687 | High | SAP NetWeaver AS ABAP, ABAP Platform | 8.8 |
| CVE-2026-23689 | High | SAP Supply Chain Management (DoS) | — |
| CVE-2026-24322 | High | SAP Solution Tools Plug-In (ST-PI) | — |
| CVE-2026-0490 | High | SAP BusinessObjects BI Platform (DoS) | — |
| CVE-2026-0485 | High | SAP BusinessObjects BI Platform (DoS) | — |
| CVE-2025-12383 | High | SAP Commerce Cloud (race condition) | — |
| CVE-2026-0508 | High | SAP BusinessObjects BI Platform (open redirect) | — |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
