Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN144
_____________________________________________________________________

DATE                : 10/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP products.

=====================================================================
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2026.html
_____________________________________________________________________


SAP Security Patch Day - February 2026

This post shares the information on security notes that remediate 
vulnerabilities discovered in SAP products. SAP strongly recommends 
that the customer visits the Support Portal and applies patches on 
priority to protect their SAP landscape.

On 10th of February 2026, SAP security patch day saw the release of 26 
new security notes. Further, there was 1 update to previously released 
Security Note.

Note#     Title                    Priority          CVSS

3697099
[CVE-2026-0488] Code Injection vulnerability in SAP CRM and SAP 
S/4HANA (Scripting Editor)
Product - SAP CRM and SAP S/4HANA (Scripting Editor)
Version(s) - S4FND 102, 103, 104, 105, 106, 107, 108, 109, SAP_ABA 
700, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801
Critical
9.9

3674774
[CVE-2026-0509] Missing Authorization check in SAP NetWeaver 
Application Server ABAP and ABAP Platform
Product - SAP NetWeaver Application Server ABAP and ABAP Platform
Version(s) - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 
KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19
Critical
9.6

3697567
[CVE-2026-23687] XML Signature Wrapping in SAP NetWeaver AS ABAP and 
ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 
731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, 
SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 
757, SAP_BASIS 758, SAP_BASIS 804, SAP_BASIS 916, SAP_BASIS 917, 
SAP_BASIS 918
High
8.8

3703092
[CVE-2026-23689] Denial of service (DOS) in SAP Supply Chain Management
Product - SAP Supply Chain Management
Version(s) - SCMAPO 713, 714, SCM 700, 701, 702, 712
High
7.7

3705882
[CVE-2026-24322] Missing Authorization check in SAP Solution Tools 
Plug-In (ST-PI)
Product - SAP Solution Tools Plug-In (ST-PI)
Version(s) - ST-PI 2008_1_700, 2008_1_710, 740, 758
High
7.7

3654236
[CVE-2026-0490] Denial of service (DOS) in SAP BusinessObjects BI 
Platform
Product - SAP BusinessObjects BI Platform
Version(s) - ENTERPRISE 430, 2025, 2027
High
7.5

3678282
[CVE-2026-0485] Denial of service (DOS) vulnerability in SAP 
BusinessObjects BI Platform
Product - SAP BusinessObjects BI Platform
Version(s) - ENTERPRISE 430, 2025, 2027
High
7.5

3692405
[CVE-2025-12383] Race Condition in SAP Commerce Cloud
Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21
High
7.4

3674246
[CVE-2026-0508] Open Redirect vulnerability in SAP BusinessObjects 
Business Intelligence Platform
Product - SAP BusinessObjects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027
High
7.3

3672622
[CVE-2026-0484] Missing Authorization check in SAP NetWeaver 
Application Server ABAP and SAP S/4HANA
Product - SAP NetWeaver Application Server ABAP and SAP S/4HANA
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 
731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, 
SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 
757, SAP_BASIS 758, SAP_BASIS 816
Medium
6.5

3695912
[CVE-2026-24324] Denial of service (DOS) vulnerability in SAP 
BusinessObjects Business Intelligence Platform (AdminTools)
Product - SAP BusinessObjects Business Intelligence Platform 
(AdminTools)
Version(s) - ENTERPRISE 430, 2025, 2027
Medium
6.5

3678417
[Multiple CVEs] Multiple vulnerabilities in BSP Applications of SAP 
Document Management System
Additional CVE - CVE-2026-0505, CVE-2026-24323
Product - SAP Document Management System
Version(s) - SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 
109, EA-APPL 600, 602, 603, 604, 605, 606, 617
Medium
6.1

3688319
[CVE-2026-24328] Open Redirection vulnerability in Business Server 
Pages Application (TAF_APPLAUNCHER)
Product - Business Server Pages Application (TAF_APPLAUNCHER)
Version(s) - ST-PI 2008_1_700, 2008_1_710, 740, 758
Medium
6.1

3503138
Update to Security Note released on January 2025 Patch Day:
[CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver 
Application Server ABAP (applications based on SAP GUI for HTML)
Product – SAP NetWeaver Application Server ABAP (applications based on 
SAP GUI for HTML)
Version(s) – KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12, 
9.14
Medium
6.0

3689543
[CVE-2026-23684] Race condition vulnerability in SAP Commerce Cloud
Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21
Medium
5.9

3679346
[CVE-2026-24319] Information Disclosure Vulnerability in SAP Business 
One (B1 Client Memory Dump Files)
Product - SAP Business One (B1 Client Memory Dump Files)
Version(s) - B1_ON_HANA 10.0, SAP-M-BO 10.0
Medium
5.8

3687771
[CVE-2026-24321] Information Disclosure vulnerability in SAP Commerce 
Cloud
Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21
Medium
5.3

3710111
[CVE-2026-24312] Missing authorization check in SAP Business Workflow
Product - SAP Business Workflow
Version(s) - SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 
755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816
Medium
5.2

3691645
[CVE-2026-0486] Missing Authorization Check in ABAP based SAP systems
Product - ABAP based SAP systems
Version(s) - ST-PI 2005_1_700, 2008_1_710, 740, 758
Medium
5.0

3697256
[CVE-2026-24325] Cross Site Scripting (XSS) vulnerability in SAP 
BusinessObjects Enterprise (Central Management Console)
Product - SAP BusinessObjects Enterprise (Central Management Console)
Version(s) - ENTERPRISE 430, 2025, 2027
Medium
4.8

3687285
[CVE-2026-23685] Insecure Deserialization vulnerability in SAP 
NetWeaver (JMS service)
Product - SAP NetWeaver (JMS service)
Version(s) - J2EE-FRMW 7.50
Medium
4.4

3215823
[CVE-2026-23688] Missing Authorization check in SAP Fiori App (Manage 
Service Entry Sheets - Lean Services)
Product - SAP Fiori App (Manage Service Entry Sheets - Lean Services)
Version(s) - S4CORE 102, 103, 104, 105, 106, 107
Medium
4.3

3680416
[CVE-2026-23681] Missing Authorization check in a function module in 
SAP Support Tools Plug-In
Product - SAP Support Tools Plug-In
Version(s) - ST-PI 2008_1_700, 2008_1_710, 740, 758
Medium
4.3

3678009
[CVE-2026-24326] Missing authorization check in SAP S/4HANA Defense & 
Security (Disconnected Operations)
Product - SAP S/4HANA Defense & Security (Disconnected Operations)
Version(s) - EA-DFPS 600, 603, 604, 605, 606, 616, 617, 618, 619, 800, 
801, 802, 803, 804, 805, 806, 807, 808, 809
Medium
4.3

3680390
[CVE-2026-24327] Missing Authorization Check in SAP Strategic 
Enterprise Management (Balanced Scorecard in BSP Application)
Product - SAP Strategic Enterprise Management (Balanced Scorecard in 
BSP Application)
Version(s) - SEM-BW 600, 700, 602, 603, 604, 605, 634, 736, 746, 747, 
748, 800
Medium
4.3

3673213
[CVE-2026-23686] CRLF Injection vulnerability in SAP NetWeaver 
Application Server Java
Product - SAP NetWeaver Application Server Java
Version(s) - LMNWABASICAPPS 7.50
Low
3.4

3678313
[CVE-2026-24320] Memory Corruption vulnerability in SAP NetWeaver and 
ABAP Platform (Application Server ABAP)
Product - SAP NetWeaver and ABAP Platform (Application Server ABAP)
Version(s) - [KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 
8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.16, 9.17, 
9.18]
Low
3.1


To know more about the security researchers and research companies who 
have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud 
services. Secure configuration is essential to ensuring secure 
operation and data integrity. We have therefore documented 
security recommendations that are consolidated in this document to 
help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to 
secure@sap.com.

 
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================