SAP Patches Critical CRM, S/4HANA, NetWeaver Vulnerabilities

SAP on Tuesday announced the release of 27 new and updated security notes, including two that address critical-severity vulnerabilities.

The first critical security note released on SAP’s February 2026 security patch day addresses CVE-2026-0488 (CVSS score of 9.9), a code injection bug in CRM and S/4HANA.

Impacting the Scripting Editor component of the applications, the flaw can be exploited by authenticated attackers to execute arbitrary SQL statements.

“A successful exploit can lead to a full compromise of the database with high impact on confidentiality, integrity, and availability of the application,” enterprise application security firm Onapsis explains.

The second critical security note that SAP released today resolves CVE-2026-0509 (CVSS score of 9.6), a missing authorization check in NetWeaver Application Server ABAP and ABAP Platform.

“Under certain circumstances, an authenticated, low-privileged user can perform background remote function calls without the required S_RFC authorization,” Onapsis explains.

This month, SAP ...