Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN024 _____________________________________________________________________ DATE : 13/01/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running SAP products. ===================================================================== https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2026.html _____________________________________________________________________ SAP Security Patch Day - January 2026 This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape. On 13th of January 2026, SAP security patch day saw the release of 17 new security notes. There are no updates to previously released patch day security notes. Note# Title Priority CVSS 3687749 [CVE-2026-0501] SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) Product - SAP S/4HANA Private Cloud and On-Premise (Financials – General Ledger) Version(s) - S4CORE 102, 103, 104, 105, 106, 107, 108, 109 Critical 9.9 3668679 [CVE-2026-0500] Remote code execution in SAP Wily Introscope Enterprise Manager (WorkStation) Product - SAP Wily Introscope Enterprise Manager (WorkStation) Version(s) - WILY_INTRO_ENTERPRISE 10.8 Critical 9.6 3694242 [CVE-2026-0498] Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise) Product - SAP S/4HANA (Private Cloud and On-Premise) Version(s) - S4CORE 102, 103, 104, 105, 106, 107, 108, 109 Critical 9.1 3697979 [CVE-2026-0491] Code Injection vulnerability in SAP Landscape Transformation Product - SAP Landscape Transformation Version(s) - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020 Critical 9.1 3691059 [CVE-2026-0492] Privilege escalation vulnerability in SAP HANA database Product - SAP HANA database Version(s) - HDB 2.00 High 8.8 3675151 [CVE-2026-0507] OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK Product - SAP Application Server for ABAP and SAP NetWeaver RFCSDK Version(s) - KRNL64UC 7.53, NWRFCSDK 7.50, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16 High 8.4 3565506 [CVE-2026-0511] Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation) Additional CVE - CVE-2026-0496, CVE-2026-0495 Product - SAP Fiori App (Intercompany Balance Reconciliation) Version(s) - UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108 High 8.1 3688703 [CVE-2026-0506] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform Product - SAP NetWeaver Application Server ABAP and ABAP Platform Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 High 8.1 3681523 [CVE-2026-0503] Missing Authorization check in SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) Product - SAP ERP Central Component and SAP S/4HANA (SAP EHS Management) Version(s) - SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 605, 606, 617 Medium 6.4 3687372 [CVE-2026-0499] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal Version(s) - EP-RUNTIME 7.50 Medium 6.1 3666061 [CVE-2026-0514] Cross-Site Scripting (XSS) vulnerability in SAP Business Connector Product - SAP Business Connector Version(s) - SAP BC 4.8 Medium 6.1 3638716 [CVE-2026-0513] Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog) Product - SAP Supplier Relationship Management (SICF Handler in SRM Catalog) Version(s) - SRM_SERVER 700, 701, 702, 713, 714 Medium 4.7 3655227 [CVE-2026-0494] Information Disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation) Product - SAP Fiori App (Intercompany Balance Reconciliation) Version(s) - UIAPFI70 500, 600, 700, 800, 900, 901, 902, UIS4H 109 Medium 4.3 3655229 [CVE-2026-0493] Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (Intercompany Balance Reconciliation) Product - SAP Fiori App (Intercompany Balance Reconciliation) Version(s) - UIAPFI70 500, 600, 700, 800, 900, 901, 902, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, UIS4H 109 Medium 4.3 3677111 [CVE-2026-0497] Missing Authorization check in Business Server Pages Application (Product Designer Web UI) Product - Business Server Pages Application (Product Designer Web UI) Version(s) - SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605, 606, 617 Medium 4.3 3657998 [CVE-2026-0504] Insufficient Input Handling in JNDI Operations of SAP Identity Management Product - SAP Identity Management Version(s) - IDM_CLM_REST_API 8.0, IDMIC 8.0 Low 3.8 3593356 [CVE-2026-0510] Obsolete Encryption Algorithm Used in NW AS Java UME User Mapping Product - NW AS Java UME User Mapping Version(s) - ENGINEAPI 7.50, SERVERCORE 7.50, UMEADMIN 7.50 Low 3.0 To know more about the security researchers and research companies who have contributed for security patches of this month, visit here. SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio. Archived blogs from previous years are available here. If you have any comments or feedback about this post, you can write to secure@sap.com. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================