SAP released 17 new security notes on January 13, 2026, as part of its monthly Security Patch Day, addressing critical injection flaws and remote code execution vulnerabilities across key products.
No updates addressed prior notes, urging organizations to act swiftly on the four HotNews-level vulnerabilities.
Four critical issues dominate this patch cycle, with CVSS scores reaching 9.9, indicating severe impacts such as full-system compromise. Attackers could exploit these remotely, often with low privileges, to manipulate data or execute code across scopes.
The most pressing issue is SQL injection in SAP S/4HANA Private Cloud and On-Premise Financials – General Ledger (CVE-2026-0501), where authenticated, low-privilege users can inject arbitrary SQL queries, compromising the confidentiality, integrity, and availability of financial data.
Remote code execution strikes SAP Wily Introscope Enterprise Manager Workstation (CVE-2026-0500), allowing unauthenticated attackers with user interaction to seize control.
Code injection flaws hit SAP S/4HANA (CVE-2026-0498) and Landscape Transformation (CVE-2026-0491), both with a CVSS score of 9.1, letting high-privilege users inject and run malicious code remotely.
| Note # | CVE ID | Product | Affected Versions | CVSS v3.1 | Priority |
|---|---|---|---|---|---|
| 3687749 | CVE-2026-0501 | S/4HANA (Financials – General Ledger) | S4CORE 102-109 | 9.9 | Critical |
| 3668679 | CVE-2026-0500 | Wily Introscope Enterprise Manager | WILY_INTRO_ENTERPRISE 10.8 | 9.6 | Critical |
| 3694242 | CVE-2026-0498 | S/4HANA (Private Cloud/On-Premise) | S4CORE 102-109 | 9.1 | Critical |
| 3697979 | CVE-2026-0491 | Landscape Transformation | DMIS 2011_1_700 to 2020 | 9.1 | Critical |
High and Medium Risks
High-priority notes include privilege escalation in SAP HANA (CVE-2026-0492, CVSS 8.8), letting low-privilege users gain full database control, and OS command injection in ABAP servers (CVE-2026-0507, CVSS 8.4).
Missing authorizations in NetWeaver ABAP (CVE-2026-0506, CVSS 8.1) and Fiori apps (CVE-2026-0511 et al., CVSS 8.1) expose integrity and data leaks.
Medium issues cover XSS in NetWeaver Portal (CVE-2026-0499, CVSS 6.1) and Business Connector (CVE-2026-0514), open redirects, CSRF, and info disclosures in Fiori and SRM, all with network reach. Low-severity fixes handle weak JNDI input and obsolete encryption in Identity Management and NW Java.
| Note # | CVE ID | Product | CVSS v3.1 | Priority |
|---|---|---|---|---|
| 3691059 | CVE-2026-0492 | SAP HANA | 8.8 | High |
| 3675151 | CVE-2026-0507 | ABAP/NetWeaver RFCSDK | 8.4 | High |
| 3688703 | CVE-2026-0506 | NetWeaver ABAP | 8.1 | High |
| 3565506 | CVE-2026-0511 | Fiori (Intercompany) | 8.1 | High |
Administrators must patch critical notes immediately, SQL injection and RCE within 24 hours, and code injections urgently to avert breaches in finance and monitoring tools.
Test patches in staging environments first, prioritizing S/4HANA and HANA deployments widespread in enterprises. SAP stresses reviewing notes on the Support Portal and layering defenses like network segmentation until updates apply.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
