SAP Security Patch Day - July 2026

This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape.

On 14th of July 2026, SAP security patch day saw the release of 16 new security notes and 1 Github security advisory. There are 3 updates to previously released security notes.

Note#

Title

Priority

CVSS

3747367

[CVE-2026-44747] Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP

Product - SAP NetWeaver Application Server ABAP
Version(s) - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53. 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19, 9.20

Critical

9.9

3720138

[CVE-2026-27690] HTTP Request Smuggling in SAP Approuter

Library - SAP Approuter
Version(s) - SAP Approuter node.js package < 20.10.0

Critical

9.1

3753495

[CVE-2026-44761] Insecure Sample Credentials in SAP Commerce Cloud

Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21

Critical

9.1

3727078

Update to Security Note released on June 2026 Patch Day:

[CVE-2026-40128] Directory Traversal vulnerability in SAP NetWeaver Application Server Java (Web Container)

Product - SAP NetWeaver Application Server Java (Web Container)
Version(s) - ENGINEAPI 7.50

Critical

9.0

3758101

[CVE-2026-40860] Multiple vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell)
Related CVEs - CVE-2026-40453, CVE-2026-33454

Product - SAP Integration Suite (Edge Integration Cell)
Version(s) - SAP Integration Suite (Edge Integration Cell) < 8.43.11

High

8.8

3692165

[CVE-2026-0487] DLL Hijacking vulnerability in SAProuter on Microsoft Windows

Product - SAProuter on Microsoft Windows
Version(s) - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, SAP_ROUTER 7.53, 7.54, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.17, 9.18

High

8.4

3748227

[CVE-2026-44752] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard)

Product - SAP NetWeaver Application Server Java(Configuration Wizard)
Version(s) - LMCTC 7.50

High

8.2

3741519

[CVE-2026-44745] Open Redirect vulnerability in SAP Approuter

Library - SAP Approuter
Version(s) - SAP Approuter node.js package < 21.2.0

High

8.1

3763800

[Multiple CVEs] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
CVEs -
CVE-2026-43512, CVE-2026-41293, CVE-2026-43515

Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21

High

8.1

3773304

[CVE-2026-58233] Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach)

Product - SAP Change and Transport System Attach Tool (ctsattach)
Version(s) - CTS_UPLOAD_CLT 1

High

7.6

3746678

[CVE-2026-44759] Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal

Product - SAP NetWeaver Enterprise Portal
Version(s) - EP-RUNTIME 7.50

Medium

6.1

GHSA-p8gx-753q-v89p

[CVE-2026-44767] Allowlist Bypass in setThemeRoot() Enables Cross-Origin CSS Injection

Library - ui5/webcomponents-base
Version(s) - ui5 webcomponents-base < 2.21.0

Medium

6.1

3537373

[CVE-2026-44769] SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO)

Product - SAP S/4HANA Project Management (PPM-PRO)
Version(s) - SAP_APPL 600, 602, 603, 604, 605, 606, 617, 618, S4CORE 102, 103, 104, 105, 106, 107, 108, CPRXRPM 400, 450_700, 500_702, 610_740

Medium

5.5

3754659

[CVE-2026-44760] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on Business Server Pages)

Product - SAP NetWeaver Application Server ABAP (applications based on Business Server Pages)
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 918, SAP_BASIS 919, SAP_BASIS 920

Medium

4.7

3515598

[CVE-2026-44771] Missing Authorization check in SAP S/4HANA (Draft operation)

Product - SAP S/4HANA (Draft operation)
Version(s) - S4CORE 108

Medium

4.3

3713902

[CVE-2026-44770] Missing Authorization check in SAP S/4 HANA (Create Single Payment)

Product - SAP S/4 HANA (Create Single Payment)
Version(s) - S4CORE 102, 103, 104, 105, 106, 107, 108, 109

Medium

4.3

3682699

Update to Security Note released on June 2026 Patch Day:

[CVE-2026-24315] Path Traversal Vulnerability in SAP Fiori (launchpad)

Product - SAP Fiori (launchpad)
Version(s) - SAP_UI 754, 755, 756, 757, 758, 816

Medium

4.2

3155685

[CVE-2026-44768] Security misconfiguration in SAP CRM (WebClient UI)

Product - SAP CRM (WebClient UI)
Version(s) - S4FND 104, 105, 106

Medium

4.1

3732522

[CVE-2026-44753] Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service)

Product - SAP HANA Extended Application Services classic model (User Self Service)
Version(s) - HDB 2.00

Low

3.7

3726899

Update to Security Note released on June 2026 Patch Day:

[CVE-2025-68161] Potential vulnerability in Apache Log4j library used by SAP NetWeaver AS Java

Product - SAP NetWeaver AS Java
Version(s) – SERVERCORE 7.50, CORE-TOOLS 7.50, J2EE-APPS 7.50

Low

3.3

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.