SAP Security Patch Day - March 2026

This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 10th of March 2026, SAP security patch day saw the release of 15 new security notes. There are no updates to previously released patch day security notes.

Note#

Title

Priority

CVSS

3698553

[CVE-2019-17571Code Injection vulnerability in SAP Quotation Management Insurance application (FS-QUO)

Product - SAP Quotation Management Insurance application (FS-QUO)
Version(s) - FS-QUO 800

Critical

9.8

3714585

[CVE-2026-27685Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

Product - SAP NetWeaver Enterprise Portal Administration
Version(s) - EP-RUNTIME 7.50

Critical

9.1

3719502

[CVE-2026-27689Denial of service (DOS) in SAP Supply Chain Management

Product - SAP Supply Chain Management
Version(s) - SCMAPO 713, 714, S4CORE 102, 103, 104, S4COREOP 105, 106, 107, 108, 109, SCM 700, 701, 702, 712

High

7.7

3689080

[CVE-2026-24316Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP

Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 918

Medium

6.4

3703856

[CVE-2026-24309Missing Authorization check in SAP NetWeaver Application Server for ABAP

Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

6.4

3697355

[CVE-2026-27684SQL Injection Vulnerability in SAP NetWeaver (Feedback Notification)

Product - SAP NetWeaver (Feedback Notification)
Version(s) - SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75A, 75B, 75C, 75D, 75E, 75F, 75G, 75H, 75I, 816

Medium

6.4

3693543

[CVE-2026-0489DOM-based Cross-Site Scripting (XSS) Vulnerability in SAP Business One (Job Service)

Product - SAP Business One (Job Service)
Version(s) - B1_ON_HANA 10.0, SAP-M-BO 10.0

Medium

6.1

3703385

[CVE-2026-27686Missing Authorization check in SAP Business Warehouse (Service API)

Product - SAP Business Warehouse (Service API)
Version(s) - DW4CORE 200, 300, 400, PI_BASIS 2006_1_700, 701, 702, 730, 731, 740, SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, 758, 816

Medium

5.9

3701020

[CVE-2026-27687Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal

Product - SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Version(s) - S4HCMCPT 100, 101, 102, SAP_HRCPT 600, 604, 608

Medium

5.8

3708457

[CVE-2026-24311Insecure Storage Protection vulnerability in SAP Customer Checkout 2.0

Product - SAP Customer Checkout 2.0
Version(s) - SAP_CUSTOMER_CHECKOUT 2.0

Medium

5.6

3699761

[CVE-2026-24317DLL Hijacking vulnerability in SAP GUI for Windows with active GuiXT

Product - SAP GUI for Windows with active GuiXT
Version(s) - BC-FES-GUI 8.00

Medium

5.0

3704740

[CVE-2026-27688Missing Authorization check in SAP NetWeaver Application Server for ABAP

Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 730, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

5.0

3707930

[CVE-2026-24313Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)

Product - SAP Solution Tools Plug-In (ST-PI)
Version(s) - ST-PI 2008_1_700, 2008_1_710, 740, 758

Medium

5.0

3700960

[Multiple CVEs] Denial of Service due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Services)

Related CVEs - CVE-2025-9230CVE-2025-9232
Product - SAP NetWeaver AS Java (Adobe Document Services)
Version(s) – ADSSAP 7.50

Medium

4.3

3694383

[CVE-2026-24310Missing Authorization check in SAP NetWeaver Application Server for ABAP

Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Low

3.5

2 previously released security notes were updated after the scheduled monthly patch day.

3678282

Update to Security Note released on February 2026 Patch Day:

[CVE-2026-0485Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform

Product - SAP BusinessObjects BI Platform
Version(s) - ENTERPRISE 430, 2025, 2027

High

7.5

3689080

Update to Security Note released on March 2026 Patch Day:

[CVE-2026-24316] Server-Side Request Forgery (SSRF) in SAP NetWeaver Application Server for ABAP

Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 918

 

Medium

6.4

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.