-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day - July 2026
This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape.
On 14th of July 2026, SAP security patch day saw the release of 16 new security notes and 1 Github security advisory. There are 3 updates to previously released security notes.
Note# | Title | Priority | CVSS |
|---|---|---|---|
[CVE-2026-44747] Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP Product - SAP NetWeaver Application Server ABAP | Critical | ||
[CVE-2026-27690] HTTP Request Smuggling in SAP Approuter Library - SAP Approuter | Critical | ||
[CVE-2026-44761] Insecure Sample Credentials in SAP Commerce Cloud Product - SAP Commerce Cloud | Critical | ||
Update to Security Note released on June 2026 Patch Day: Product - SAP NetWeaver Application Server Java (Web Container) | Critical | ||
[CVE-2026-40860] Multiple vulnerabilities in Apache Camel within SAP Integration Suite (Edge Integration Cell) Product - SAP Integration Suite (Edge Integration Cell) | High | ||
[CVE-2026-0487] DLL Hijacking vulnerability in SAProuter on Microsoft Windows Product - SAProuter on Microsoft Windows | High | ||
[CVE-2026-44752] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java(Configuration Wizard) Product - SAP NetWeaver Application Server Java(Configuration Wizard) | High | ||
[CVE-2026-44745] Open Redirect vulnerability in SAP Approuter Library - SAP Approuter | High | ||
[Multiple CVEs] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Product - SAP Commerce Cloud | High | ||
[CVE-2026-58233] Remote Code Execution vulnerability in SAP Change and Transport System Attach Tool (ctsattach) Product - SAP Change and Transport System Attach Tool (ctsattach) | High | ||
[CVE-2026-44759] Cross Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal | Medium | ||
[CVE-2026-44767] Allowlist Bypass in setThemeRoot() Enables Cross-Origin CSS Injection Library - ui5/webcomponents-base | Medium | ||
[CVE-2026-44769] SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO) Product - SAP S/4HANA Project Management (PPM-PRO) | Medium | ||
[CVE-2026-44760] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on Business Server Pages) Product - SAP NetWeaver Application Server ABAP (applications based on Business Server Pages) | Medium | ||
[CVE-2026-44771] Missing Authorization check in SAP S/4HANA (Draft operation) Product - SAP S/4HANA (Draft operation) | Medium | ||
[CVE-2026-44770] Missing Authorization check in SAP S/4 HANA (Create Single Payment) Product - SAP S/4 HANA (Create Single Payment) | Medium | ||
Update to Security Note released on June 2026 Patch Day: | Medium | ||
[CVE-2026-44768] Security misconfiguration in SAP CRM (WebClient UI) Product - SAP CRM (WebClient UI) | Medium | ||
[CVE-2026-44753] Information Disclosure vulnerability in SAP HANA Extended Application Services classic model (User Self Service) Product - SAP HANA Extended Application Services classic model (User Self Service) | Low | ||
Update to Security Note released on June 2026 Patch Day: Product - SAP NetWeaver AS Java | Low |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.