Enterprise software program maker SAP on Tuesday introduced the discharge of 17 new safety notes as a part of its January 2026 Safety Patch Day. 4 of the notes tackle critical-severity vulnerabilities.
The primary notice in SAP’s January 2026 advisory resolves CVE-2026-0501 (CVSS rating of 9.9), a vital SQL injection bug in S/4HANA.
The difficulty impacts a Distant Perform Name-enabled module counting on the ABAP Database Connectivity (ADBC) framework for the execution of a local SQL assertion, explains Onapsis, which found and reported the bug.
“This SQL assertion is offered by means of an enter parameter and permits an attacker to execute arbitrary SQL instructions. On profitable exploitation, the system may be totally compromised,” the safety agency notes.
The second vital bug that SAP addressed on Tuesday is CVE-2026-0500 (CVSS rating of 9.6), a distant code execution (RCE) challenge in Wily Introscope Enterprise Supervisor.
Based on Onapsis, the applying permits unauthenticated attackers to craft malicious JNLP (Java Community Launch Protocol) recordsdata that may be accessed by way of URLs.Commercial. Scroll to proceed studying.
When a sufferer clicks on such a URL, the Wily Introscope Server executes instructions on the sufferer’s utility, impacting the applying’s confidentiality, integrity, and availability.
Third in line is CVE-2026-0498 (CVSS rating of 9.1), which is described as a code injection vulnerability in S/4HANA that would result in OS command injection and full system compromise.
The bug exists because of “a remote-enabled operate module that permits an attacker with admin privileges to arbitrarily modify the supply code of present applications with out implementing important authentication checks,” Onapsis explains.
The fourth critical-severity flaw addressed on SAP’s January 2026 Safety Patch Day is CVE-2026-0491 (CVSS rating of 9.1), a code injection defect in Panorama Transformation. Based on Onapsis, this is similar susceptible operate, however “the affected element is shipped as a separate DMIS add-on”.
On Tuesday, SAP additionally launched 4 safety notes coping with high-severity vulnerabilities in HANA database, Utility Server for ABAP and NetWeaver RFCSDK, Fiori App, and NetWeaver Utility Server ABAP and ABAP Platform.
Profitable exploitation of those bugs may permit attackers to raise their privileges to administrator, add specifically crafted content material to execute arbitrary instructions, escalate privilege because of a lacking authorization, and misuse a remote-enabled operate module for type routine execution.
The remaining 9 safety notes in SAP’s January 2026 advisory resolve medium- and low-severity flaws in ERP Central Part and S/4HANA, NetWeaver, Enterprise Connector, Provider Relationship Administration, Fiori App, Enterprise Server Pages Utility, Id Administration, and NW AS Java UME Person Mapping.
Organizations are suggested to overview the recent SAP safety notes and apply the patches as quickly as potential, as susceptible SAP functions are enticing targets for menace actors.
Associated: SAP Patches Important Vulnerabilities With December 2025 Safety Updates
Associated: SAP Patches Important Flaws in SQL Anyplace Monitor, Answer Supervisor
Associated: SAP Patches Important Vulnerabilities in NetWeaver, Print Service, SRM
Associated: SAP Patches Important NetWeaver Vulnerabilities
