SAP launched 17 new safety notes on January 13, 2026, as a part of its month-to-month Safety Patch Day, addressing important injection flaws and distant code execution vulnerabilities throughout key merchandise.
No updates addressed prior notes, urging organizations to behave swiftly on the 4 HotNews-level vulnerabilities.
4 important points dominate this patch cycle, with CVSS scores reaching 9.9, indicating extreme impacts equivalent to full-system compromise. Attackers might exploit these remotely, usually with low privileges, to control information or execute code throughout scopes.
Essentially the most urgent situation is SQL injection in SAP S/4HANA Non-public Cloud and On-Premise Financials – Common Ledger (CVE-2026-0501), the place authenticated, low-privilege customers can inject arbitrary SQL queries, compromising the confidentiality, integrity, and availability of monetary information.
Distant code execution strikes SAP Wily Introscope Enterprise Supervisor Workstation (CVE-2026-0500), permitting unauthenticated attackers with person interplay to grab management.
Code injection flaws hit SAP S/4HANA (CVE-2026-0498) and Panorama Transformation (CVE-2026-0491), each with a CVSS rating of 9.1, letting high-privilege customers inject and run malicious code remotely.
Notice #CVE IDProductAffected VersionsCVSS v3.1Priority3687749CVE-2026-0501S/4HANA (Financials – Common Ledger)S4CORE 102-1099.9Important3668679CVE-2026-0500Wily Introscope Enterprise SupervisorWILY_INTRO_ENTERPRISE 10.89.6Important3694242CVE-2026-0498S/4HANA (Non-public Cloud/On-Premise)S4CORE 102-1099.1Important3697979CVE-2026-0491Panorama TransformationDMIS 2011_1_700 to 20209.1Important
Excessive and Medium Dangers
Excessive-priority notes embrace privilege escalation in SAP HANA (CVE-2026-0492, CVSS 8.8), letting low-privilege customers achieve full database management, and OS command injection in ABAP servers (CVE-2026-0507, CVSS 8.4).
Lacking authorizations in NetWeaver ABAP (CVE-2026-0506, CVSS 8.1) and Fiori apps (CVE-2026-0511 et al., CVSS 8.1) expose integrity and information leaks.
Medium points cowl XSS in NetWeaver Portal (CVE-2026-0499, CVSS 6.1) and Enterprise Connector (CVE-2026-0514), open redirects, CSRF, and data disclosures in Fiori and SRM, all with community attain. Low-severity fixes deal with weak JNDI enter and out of date encryption in Id Administration and NW Java.
Notice #CVE IDProductCVSS v3.1Priority3691059CVE-2026-0492SAP HANA8.8Excessive3675151CVE-2026-0507ABAP/NetWeaver RFCSDK8.4Excessive3688703CVE-2026-0506NetWeaver ABAP8.1Excessive3565506CVE-2026-0511Fiori (Intercompany)8.1Excessive
Directors should patch important notes instantly, SQL injection and RCE inside 24 hours, and code injections urgently to avert breaches in finance and monitoring instruments.
Check patches in staging environments first, prioritizing S/4HANA and HANA deployments widespread in enterprises. SAP stresses reviewing notes on the Help Portal and layering defenses like community segmentation till updates apply.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
