SAP Security Patch Day Addresses 26 Vulnerabilities
SAP released 26 new security notes on February 10, 2026, including two critical vulnerabilities in CRM, S/4HANA, and NetWeaver platforms.
SAP's February 2026 Security Patch Day delivered 26 new security notes and one update to a previously released note. The company rated two vulnerabilities as critical, seven as high priority, 16 as medium, and two as low severity.
Critical Code Injection in CRM and S/4HANA
CVE-2026-0488, scoring 9.9 on the CVSS scale, affects the Scripting Editor component in SAP CRM and S/4HANA. Authenticated attackers can exploit this code injection flaw to execute arbitrary SQL statements, potentially leading to full database compromise with high impact on confidentiality, integrity, and availability.
Missing Authorization in NetWeaver
CVE-2026-0509 (CVSS 9.6) addresses a missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform. Low-privileged users can exploit this vulnerability to perform unauthorized background Remote Function Calls (RFCs), bypassing access controls designed to restrict privileged operations.
Additional High-Priority Issues
The patch release includes an XML Signature Wrapping vulnerability in NetWeaver (CVSS 8.8) that introduces identity and message integrity concerns for landscapes relying on signed exchanges. SAP reports no evidence of active exploitation but strongly recommends immediate patching to protect enterprise SAP environments.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.