SAP February 2026 Patch Day: Critical Vulnerabilities Fixed in CRM, S/4HANA, and NetWeaver

SAP has released its February 2026 Security Patch Day updates, addressing multiple critical and high‑severity vulnerabilities across its enterprise applications. Organizations running SAP software should prioritize these patches to protect against potential exploitation.

Critical Vulnerabilities

CVE‑2026‑0488 – Code Injection in CRM and S/4HANA (CVSS 9.9)

A severe code injection flaw impacts the Scripting Editor component of SAP CRM and S/4HANA. Authenticated attackers could exploit this vulnerability to execute arbitrary SQL statements.

• Risk: Full database compromise
• Impact: Confidentiality, integrity, and availability of the application

CVE‑2026‑0509 – Missing Authorization in NetWeaver ABAP (CVSS 9.6)

SAP also patched a missing authorization check in NetWeaver Application Server ABAP and ABAP Platform.

• Risk: Low‑privileged users can perform background remote function calls without proper S_RFC authorization
• Impact: Unauthorized system actions and privilege escalation

High-Severity Vulnerabilities

SAP resolved seven additional high‑severity flaws across multiple products, including:

• NetWeaver: XML signature wrapping issue allowing attackers to send manipulated signed XML documents, potentially exposing sensitive user data and disrupting system usage.
• Other issues: missing authorization check, race condition, open redirect, and three denial‑of‑service (DoS) vulnerabilities.
• Affected components: Supply Chain Management, Solution Tools Plug‑In (ST‑PI), BusinessObjects, and Commerce Cloud.