SAP Product Security Update Advisory

Overview

 

We have released security updates to fix vulnerabilities in SAP products. Users of affected products are advised to update to the latest version.
 

 

Affected Products

 

CVE-2026-0485

 

SAP BusinessObjects BI Platform versions: Enterprise 430, 2025, 2027

 

CVE-2026-0488

 

SAP CRM and SAP S/4HANA (Scripting Editor) versions: S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801

 

CVE-2026-0490

 

SAP BusinessObjects BI Platform versions: Enterprise 430, 2025, 2027

 

CVE-2026-0508

 

SAP BusinessObjects Business Intelligence Platform versions: Enterprise 430, 2025, 2027

 

CVE-2026-0509

 

SAP NetWeaver Application Server ABAP and ABAP Platform versions: KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19

 

CVE-2026-23687

 

SAP NetWeaver AS ABAP and ABAP Platform versions: SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, Sap_basis 754, sap_basis 755, sap_basis 756, sap_basis 757, sap_basis 758, sap_basis 804, sap_basis 916, sap_basis 917, sap_basis 918

 

CVE-2026-23689

 

SAP Supply Chain Management versions: SCMAPO 713, 714, SCM 700, 701, 702, 712

 

CVE-2026-24322

 

SAP Solution Tools Plug-In (ST-PI) versions: St-pi 2008_1_700, 2008_1_710, 740, 758

 

 

Resolved Vulnerabilities

 

Denial of Service vulnerability in SAP BusinessObjects BI Platform (CVE-2026-0485)
Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) (CVE-2026-0488)
Denial of Service vulnerability in SAP BusinessObjects BI Platform (CVE-2026-0490)
Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform (CVE-2026-0508)
Missing Authorization Validation vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform (CVE-2026-0509)
XML Signature Wrapping vulnerability in SAP NetWeaver AS ABAP and ABAP Platform (CVE-2026-23687)
Denial of Service vulnerability in SAP Supply Chain Management (CVE-2026-23689)
Missing Authorization Validation vulnerability in SAP Solution Tools Plug-In (ST-PI) (CVE-2026-24322)

 

 

Vulnerability Patches

Vulnerability Patches have been made available with the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2026-0485, CVE-2026-0488, CVE-2026-0490, CVE-2026-0508, CVE-2026-0509, CVE-2026-23687, CVE-2026-23689, CVE-2026-24322

 

Separate security patches are available [2][3][4][5][6][7][8][9]

 

 

References

 

[1] SAP Security Patch Day – February 2026
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2026.html
[2] CVE-2026-0485
https://me.sap.com/notes/3678282
[3] CVE-2026-0488
https://me.sap.com/notes/3697099
[4] CVE-2026-0490
https://me.sap.com/notes/3654236
[5] CVE-2026-0508
https://me.sap.com/notes/3674246
[6] CVE-2026-0509
https://me.sap.com/notes/3674774
[7] CVE-2026-23687
https://me.sap.com/notes/3697567
[8] CVE-2026-23689
https://me.sap.com/notes/3703092
[9] CVE-2026-24322
https://me.sap.com/notes/3705882