Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN396
_____________________________________________________________________

DATE                : 16/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP products.

=====================================================================
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2026.html
_____________________________________________________________________


SAP Security Patch Day - April 2026

This post shares the information on security notes that remediate
vulnerabilities discovered in SAP products. SAP strongly recommends
that the customer visits the support portal and applies patches on
priority to protect their SAP landscape.

On 14th of April 2026, SAP security patch day saw the release of 19
new security notes. There is 1 update to previously released security
note.

Note#           Title               Priority         CVSS

3719353  
[CVE-2026-27681] SQL Injection vulnerability in SAP Business Planning
and Consolidation and SAP Business Warehouse
Product - SAP Business Planning and Consolidation and SAP Business
Warehouse
Version(s) - HANABPC 810, BPC4HANA 300, SAP_BW 750, 752, 753, 754, 755,
756, 757, 758, 816
Critical
9.9

3731908
[CVE-2026-34256] Missing Authorization check in SAP ERP and SAP S/4
HANA (Private Cloud and On-Premise)
Product - SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)
Version(s) - SAP_FIN 618, 720, 730, EA-FIN 617, 700, SAPSCORE 135,
S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602,
603, 604, 605, 606
High
7.1

3696239
[CVE-2025-64775] Denial of Service Vulnerability in SAP BusinessObjects
Business Intelligence Platform
Product - SAP BusinessObjects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027
Medium
6.5

3680767
[CVE-2026-34264] Information Disclosure vulnerability in SAP Human
Capital Management for SAP S/4HANA
Product - SAP Human Capital Management for SAP S/4HANA
Version(s) - S4HCMRXX 100, 101, 102, SAP_HRRXX 600, 604, 608
Medium
6.5

3705094
[CVE-2026-34261] Missing Authorization check in SAP Business
Analytics and SAP Content Management
Product - SAP Business Analytics and SAP Content Management
Version(s) - S4HCMRXX 100, 101, 102, SAP_HRRXX 600, 604, 608
Medium
6.5

3715097
[CVE-2026-27677] Missing Authorization check in SAP S/4HANA
OData Service (Manage Reference Equipment)
Product - SAP S/4HANA OData Service (Manage Reference Equipment)
Version(s) - S4CORE 109
Medium
6.5

3715177
[CVE-2026-27678] Missing Authorization check in SAP S/4HANA
Backend OData Service (Manage Reference Structures)
Product - SAP S/4HANA Backend OData Service (Manage Reference
Structures)
Version(s) - S4CORE 109
Medium
6.5

3716767
[CVE-2026-27679] Missing Authorization check in SAP S/4HANA
Frontend OData Service (Manage Reference Structures)
Product - SAP S/4HANA Frontend OData Service (Manage
Reference Structures)
Version(s) - UIS4H 109
Medium
6.5

3645228
[CVE-2026-0512] Cross-Site Scripting (XSS) vulnerability in
SAP Supplier Relationship Management (SICF Handler in SRM
Catalog)
Product - SAP Supplier Relationship Management (SICF Handler
in SRM Catalog)
Version(s) - SRM_SERVER 702, 713, 714
Medium
6.1

3719397
[CVE-2026-27674] Code Injection vulnerability in SAP NetWeaver
Application Server Java (Web Dynpro Java)
Product - SAP NetWeaver Application Server Java (Web Dynpro
Java)
Version(s) - WD-RUNTIME 7.50
Medium
6.1

3692004
[CVE-2026-34257] Open Redirect vulnerability in SAP NetWeaver
Application Server ABAP
Product - SAP NetWeaver Application Server ABAP
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702,
SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 752,
SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756,
SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816
Medium
6.1

3730639
[CVE-2026-34262] Information Disclosure Vulnerability in SAP
HANA Cockpit and HANA Database Explorer
Product - SAP HANA Cockpit and HANA Database Explorer
Version(s) - SAP_HANA_COCKPIT 2.0
Medium
5.0

3703813
[CVE-2026-27673] Missing Authorization Check in SAP S/4HANA
(Private Cloud and On-Premise)
Product - SAP S/4HANA (Private Cloud and On-Premise)
Version(s) - S4CORE 105, 106, 107, 108, 109, FI-CA 606, 616, 617, 618
Medium
4.9

3703276
[CVE-2026-27672] Missing Authorization check in Material Master
Application
Product - Material Master Application
Version(s) - S4CORE 102, 103, 104, 105, 106, 107, 108, 109, SCM_BASIS
700, SCM_BASIS 701, SCM_BASIS 702, SCM_BASIS 712, SCM_BASIS 713,
SCM_BASIS 714
Medium
4.3

3711682
[CVE-2026-27676] Missing Authorization check in SAP S/4HANA OData
Service (Manage Technical Object Structures)
Product - SAP S/4HANA OData Service (Manage Technical Object
Structures)
Version(s) - S4CORE 109
Medium
4.3

3530544
Update to Security Note released on November 2025 Patch Day:
[CVE-2025-42899] Missing Authorization check in SAP S4CORE (Manage
Journal Entries)
Product - SAP S4CORE (Manage Journal Entries)
Version(s) - S4CORE 104, 105, 106, 107, 108
Medium
4.3

3702191
[CVE-2026-24318] Insecure Session Management vulnerability in
SAP BusinessObjects Business Intelligence Platform
Product - SAP BusinessObjects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027
Medium
4.2

3698216
[CVE-2026-27683] Reflected cross site scripting vulnerability
in SAP BusinessObjects Business Intelligence Platform
Product - SAP BusinessObjects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027
Medium
4.1

3665042
[CVE-2026-27680] CSS Injection vulnerability in SAP NetWeaver
Application Server ABAP
Product - SAP NetWeaver Application Server ABAP
Version(s) - SAP_UI 758, 816
Low
3.1

3723097
[CVE-2026-27675] Code Injection vulnerability in SAP Landscape
Transformation
Product - SAP Landscape Transformation
Version(s) - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731,
2011_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107, 108, 109
Low
2.0

To know more about the security researchers and research companies
who have contributed for security patches of this month, visit
here.
SAP is committed to delivering trustworthy products and cloud
services. Secure configuration is essential to ensuring secure
operation and data integrity. We have therefore documented
security recommendations that are consolidated in this document
to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can
write to secure@sap.com.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================