The release covers a wide range of core platforms, including SAP NetWeaver, S/4HANA, Business One, Business Warehouse, and a number of industry and client apps This article explores service vulnerability sap. . SAP tells customers to read all of the notes and make the fixes right away through the SAP Support Portal.

Important Risks of Remote Code Execution The most serious problem is a code injection vulnerability (CVE-2019-17571) in SAP Quotation Management Insurance (FS-QUO). It has a CVSS score of 9.8, which means it is very serious. It takes advantage of a known Apache Log4j 1.2 deserialization flaw, letting remote attackers who aren't authenticated run any code they want, which completely compromises the system's confidentiality, integrity, and availability. Another important note is about insecure deserialization in SAP NetWeaver Enterprise Portal Administration (CVE-2026-27685), which has a CVSS score of 9.1.

In this instance, a highly privileged attacker can exploit unsafe deserialization of uploaded content to execute arbitrary code with cross-scope effects throughout the portal environment. SAP also fixed a denial-of-service vulnerability in SAP Supply Chain Management (CVE-2026-27689, CVSS 7.7) that could let authenticated users make the system unavailable. Server-side request forgery (SSRF) in SAP NetWeaver AS ABAP and multiple missing authorization checks in NetWeaver AS ABAP, SAP BW, S/4HANA HCM Portugal, ERP HCM Portugal, and SAP Solution Tools Plug-In (ST-PI) are other medium-severity problems.

More notes talk about SQL injection in SAP NetWeaver Feedback Notification (CVE-2026-27684), DOM-based XSS in SAP Business One Job Service (CVE-2026-0489), insecure storage protection in SAP Customer Checkout 2.0, DLL hijacking in SAP GUI for Windows with GuiXT, and a denial-of-service risk because SAP NetWeaver AS Java (Adobe Document Services) uses an old version of OpenSSL. SAP customers should patch the FS-QUO code injection and NetWeaver Enterprise Portal insecure deserialization vulnerabilities as soon as possible because both can be used to run code from a distance and take over the whole system. After that, the security and basis teams should look at the other high and medium notes, paying special attention to systems that are accessible from the internet, business-critical modules, and places where attackers could use flaws in authorization, injection, and deserialization to move laterally.

You can find all the fixes and instructions for how to use them in the SAP Security Notes & News section of the SAP Support Portal.