SAP Patch Day Fixes Critical SQL Injection, DoS, and Code Injection Flaws - gbhackers.com

CVE/vulnerabilityCyber Security NewsVulnerability 3 min.Read SAP Patch Day Fixes Critical SQL Injection, DoS, and Code Injection Flaws By Divya April 14, 2026 Share Facebook Twitter Pinterest WhatsApp SAP released its monthly Security Patch Day updates, addressing 19 new security notes and one update to a previously released note. According to the official SAP Support Portal, these patches resolve severe vulnerabilities, including critical SQL injection, Denial of Service (DoS), and code injection flaws. SAP strongly advises all administrators to review these updates and apply the necessary patches immediately to protect their enterprise infrastructure. Critical and High-Severity Flaws The April 2026 release highlights a few pressing vulnerabilities that require immediate remediation to prevent potential threat actor exploitation. Security teams must focus on the following high-priority issues impacting core systems: Critical SQL Injection (CVE-2026-27681): The most severe vulnerability patched this month affects SAP Business Planning and Consolidation and SAP Business Warehouse. Carrying a near-maximum CVSS score of 9.9, this critical SQL injection flaw could allow threat actors to execute arbitrary database queries. This could potentially lead to a complete compromise of the affected application’s confidentiality, integrity, and availability. Missing Authorization Check (CVE-2026-34256): A high-severity vulnerability with a CVSS score of 7.1 was identified in SAP ERP and SAP S/4 HANA. This flaw impacts both Private Cloud and On-Premise deployments by allowing unauthorized users to perform restricted actions. Medium-Severity Vulnerabilities In addition to the critical patches, SAP addressed multiple medium-severity vulnerabilities across its broader product ecosystem. Converting the raw disclosure data into actionable intelligence reveals several key fixes: Denial of Service in BusinessObjects: SAP BusinessObjects Business Intelligence Platform received a patch for a DoS vulnerability (CVE-2025-64775) with a CVSS score of 6.5. Exploitation could disrupt critical business analytics and reporting operations. Code Injection in NetWeaver: A medium-severity code injection vulnerability (CVE-2026-27674) affecting SAP NetWeaver Application Server Java was successfully resolved. Cross-Site Scripting: SAP Supplier Relationship Management contained an XSS flaw (CVE-2026-0512) that has now been mitigated to prevent client-side attacks. Information Disclosure: Essential patches were released to fix information disclosure issues in SAP Human Capital Management and SAP HANA Cockpit. Landscape Transformation Flaw: A low-severity code injection flaw (CVE-2026-27675) in SAP Landscape Transformation was also addressed to prevent unauthorized OS command execution. SAP continues to emphasize the importance of timely patching to defend against evolving enterprise cyber threats. Administrators and incident response teams should prioritize the following mitigation steps: Review the detailed security notes on the SAP Support Portal to understand specific version impacts. Prioritize the immediate deployment of Note 3719353 to address the critical CVSS 9.9 SQL injection vulnerability. Evaluate the impact of the updated November 2025 patch regarding a missing authorization check in SAP S4CORE. Ensure all SAP ERP and S/4 HANA environments are updated to prevent unauthorized access and data manipulation. Vulnerabilities Details CVE ID Description Priority CVSS Score CVE-2026-27681 SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse  Critical 9.9  CVE-2026-34256 Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)  High 7.1  CVE-2025-64775 Denial of Service Vulnerability in SAP BusinessObjects Business Intelligence Platform  Medium 6.5  CVE-2026-34264 Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA  Medium 6.5  CVE-2026-34261 Missing Authorization check in SAP Business Analytics and SAP Content Management  Medium 6.5  CVE-2026-27677 Missing Authorization check in SAP S/4HANA OData Service (Manage Reference Equipment)  Medium 6.5  CVE-2026-27678 Missing Authorization check in SAP S/4HANA Backend OData Service (Manage Reference Structures)  Medium 6.5  CVE-2026-27679 Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)  Medium 6.5  CVE-2026-0512 Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog)  Medium 6.1  CVE-2026-27674 Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java)  Medium 6.1  CVE-2026-34257 Open Redirect vulnerability in SAP NetWeaver Application Server ABAP  Medium 6.1  CVE-2026-34262 Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer  Medium 5.0  CVE-2026-27673 Missing Authorization Check in SAP S/4HANA (Private Cloud and On-Premise)  Medium 4.9  CVE-2026-27672 Missing Authorization check in Material Master Application  Medium 4.3  CVE-2026-27676 Missing Authorization check in SAP S/4HANA OData Service (Manage Technical Object Structures)  Medium 4.3  CVE-2025-42899 Update: Missing Authorization check in SAP S4CORE (Manage Journal Entries)  Medium 4.3  CVE-2026-24318 Insecure Session Management vulnerability in SAP BusinessObjects Business Intelligence Platform  Medium 4.2  CVE-2026-27683 Reflected cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform  Medium 4.1  CVE-2026-27680 CSS Injection vulnerability in SAP NetWeaver Application Server ABAP  Low 3.1  CVE-2026-27675 Code Injection vulnerability in SAP Landscape Transformation  Low 2.0  Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google. Tags cyber security Cyber Security News Vulnerability Divya Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world. Hot this week Infosec- Resources How To Access Dark Web Anonymously and know its Secretive and Mysterious Activities June 4, 2023 1 What is Deep Web The deep web, invisible web, or... SOC Architecture How to Build and Run a Security Operations Center (SOC Guide) – 2023 June 3, 2023 12 Today’s Cyber security operations center (CSOC) should have everything... Cyber Security News Network Penetration Testing Checklist – 2025 March 2, 2025 0 Network penetration testing is a cybersecurity practice that simulates... Cyber Security News Russian Hackers Bypass EDR to Deliver a Weaponized TeamViewer Component October 18, 2023 0 TeamViewer's popularity and remote access capabilities make it an... Checklist Web Server Penetration Testing Checklist – 2026 January 6, 2026 0 Web server pentesting is performed under three significant categories: identity,... Topics AcquisitionAdobeAdwareAIAmazonAmazon AWSAMDAndroidAnti VirusAntimalwareAntispoofingANY RUNApacheAPIAppleAPTArtificial IntelligenceAvastAWSAzureBackdoorBitcoinBluetoothBotnetBrowserBuffer over flowBug BountyBusinessChatbotsChatGPTChecklistChromeCiscoCISOCISO AdvisoryCloudCloud SecurityCloudflareComputer SecurityCourseCPUCross site ScriptingcryptocurrencyCryptocurrency hackCVE/vulnerabilityCyber AdvisoryCyber AICyber AttackCyber Crimecyber securityCyber security CourseCyber Security NewsCyber Security ResourcesDark WebData BreachData GovernanceDDOSDealsDeepSeekDiscordDNSDos AttackDriveDropboxEducationEmailEmail SecurityEthical HackingExploitExploitation ToolsExtratorrentsFACEBOOKFeaturedFirefoxFirefox NewsFirewallForensics ToolsgameGenAIGitHubGitLabGmailGoogleGoogle dorksGovernanceGRCHacking BooksHacksHardware HackingHBOHTMLHTTPIBMIISIncident ResponseInformation GatheringInformation Security RisksInfosec- ResourcesInsider ThreatsInstagramMore cyber security GitHub Issue Alerts Exploited in OAuth Phishing Scam Targeting Developers 0 Hackers are abusing GitHub’s own issue-notification emails to phish... CVE/vulnerability CISA Alerts Defenders to Exploited Cisco Catalyst SD-WAN Manager Security Flaws 0 The Cybersecurity and Infrastructure Security Agency (CISA) has issued... CVE/vulnerability 6,000+ Publicly Exposed Apache ActiveMQ Instances Found Vulnerable to CVE-2026-34197 0 Over 6,000 internet-facing Apache ActiveMQ servers are currently affected... cyber security Gentlemen RaaS Hits Windows, Linux, and ESXi With New C-Based Locker 0 Gentlemen is a fast‑growing ransomware‑as‑a‑service (RaaS) operation now targeting... Browser 12 Fraudulent Browser Extensions Disguised as TikTok Downloaders Compromise 130K Users 0 LayerX security researchers have uncovered a massive, highly coordinated... AI AI-Driven Exploitation Could Shrink Defenders’ Patch Window 0 AI-powered cyberattacks are entering a new phase, with frontier... CVE/vulnerability Malicious GGUF Models Could Trigger Remote Code Execution on SGLang Servers 0 Security researchers have uncovered a critical vulnerability in SGLang,... CVE/vulnerability CISA Warns Compromised Axios npm Package Fueled Major Supply Chain Attack 0 The Cybersecurity and Infrastructure Security Agency (CISA) has issued... Related Articles GitHub Issue Alerts Exploited in OAuth Phishing Scam Targeting Developers cyber security April 21, 2026 CISA Alerts Defenders to Exploited Cisco Catalyst SD-WAN Manager Security Flaws CVE/vulnerability April 21, 2026 6,000+ Publicly Exposed Apache ActiveMQ Instances Found Vulnerable to CVE-2026-34197 CVE/vulnerability April 21, 2026 Gentlemen RaaS Hits Windows, Linux, and ESXi With New C-Based Locker cyber security April 21, 2026 12 Fraudulent Browser Extensions Disguised as TikTok Downloaders Compromise 130K Users Browser April 21, 2026 Recent News GitHub Issue Alerts Exploited in OAuth Phishing Scam Targeting Developers Mayura Kathir - April 21, 2026 CISA Alerts Defenders to Exploited Cisco Catalyst SD-WAN Manager Security Flaws Divya - April 21, 2026 6,000+ Publicly Exposed Apache ActiveMQ Instances Found Vulnerable to CVE-2026-34197 Divya - April 21, 2026 Gentlemen RaaS Hits Windows, Linux, and ESXi With New C-Based Locker Mayura Kathir - April 21, 2026 12 Fraudulent Browser Extensions Disguised as TikTok Downloaders Compromise 130K Users Divya - April 21, 2026 AI-Driven Exploitation Could Shrink Defenders’ Patch Window Mayura Kathir - April 21, 2026