Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN617
_____________________________________________________________________

DATE                : 11/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running SAP products.

=====================================================================
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2026.html
_____________________________________________________________________


SAP Security Patch Day - June 2026

This post shares the information on security notes that remediate
vulnerabilities discovered in SAP products. SAP strongly recommends
that the customer visits the support portal and applies patches on
priority to protect their SAP landscape.

On 9th of June 2026, SAP security patch day saw the release of 15
new security notes.

 

Note#    Title     Priority                               CVSS

3746332
[CVE-2026-44748] XML Signature Wrapping in SAML Authentication in
SAP NetWeaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform
Version(s) - SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740,
SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753,
SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757,
SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 918, SAP_BASIS 919
Critical
9.9

3717897
[CVE-2026-27671] Memory Corruption vulnerability in Application
Server ABAP of SAP NetWeaver and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform
Version(s) - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 722EXT, 7.53,
KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 91.9
Critical
9.8

3748262
[CVE-2026-22732] Potential Spring Security vulnerability within SAP
Commerce Cloud and SAP Data Hub
Product - SAP Commerce Cloud and SAP Data Hub
Version(s) - HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211, 2211-JDK21,
DHUB_CLOUD 2211
Critical
9.1

3727078
[CVE-2026-40128] Directory Traversal vulnerability in SAP NetWeaver
Application Server Java (Web Container)
Product - SAP NetWeaver Application Server Java (Web Container)
Version(s) - ENGINEAPI 7.50
Critical
9.0

3747484
[CVE-2026-29145] Multiple vulnerabilities in Apache Tomcat within
SAP Commerce Cloud
Related CVEs - CVE-2025-66614, CVE-2026-24734
Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21
High
7.4

3735546
[CVE-2026-44751] Missing Authorization check in Application Server
ABAP of SAP NetWeaver and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731,
SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752,
SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756,
SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816
High
7.1

3748819
[CVE-2026-44754] Missing caller identification check-in for
ODP Data Replication APIs
Product - ODP Data Replication APIs
Version(s) - DW4CORE 200, 300, 400, PI_BASIS 2006_1_700, 701, 702,
731, 740, SAP_BW 750, 816
Medium
6.6

3751691
[CVE-2026-44744] SQL Injection vulnerability in SAP S/4HANA
Product - SAP S/4HANA
Version(s) - S4FND 102, 103, 104, 105, 106, 107, 108, 109
Medium
6.5

3723655
[CVE-2026-44746] Reflected Cross-Site Scripting (XSS) vulnerability
in SAP NetWeaver AS Java (JDBC Test Servlet)
Product - SAP NetWeaver AS Java (JDBC Test Servlet)
Version(s) - BI_UDI 7.50
Medium
6.1

3715280
[CVE-2026-44757] Cross-Site Scripting (XSS) vulnerability in SAP
Wily Introscope Enterprise Manager
Product - SAP Wily Introscope Enterprise Manager
Version(s) - WILY_INTRO_ENTERPRISE 10.8
Medium
4.7

3673181
[CVE-2026-44750] Missing Authorization check in SAP MDG
(Review Match Groups Application)
Product - SAP MDG (Review Match Groups Application)
Version(s) - S4CORE 108, SAP_BASIS 916, SAP_BASIS 917, SAP_ABA 816
Medium
4.3

3687096
[CVE-2026-44755] Email Spoofing vulnerability in SAP Business
Objects Business Intelligence Platform
Product - SAP Business Objects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027
Medium
4.3

3682699
[CVE-2026-24315] Path Traversal Vulnerability in SAP Fiori
(launchpad)
Product - SAP Fiori (launchpad)
Version(s) - SAP_UI 754, 755, 756, 757, 758, 816
Medium
4.2

3706000
[CVE-2026-44743] Security Misconfiguration vulnerability in
SAP Business Objects
Product - SAP Business Objects
Version(s) - ENTERPRISE 430, 2025, 2027
Low
3.7

3726899
[CVE-2025-68161] Potential vulnerability in Apache Log4j
library used by SAP NetWeaver AS Java
Product - SAP NetWeaver AS Java
Version(s) – SERVERCORE 7.50, CORE-TOOLS 7.50, J2EE-APPS 7.50
Low
3.3

To know more about the security researchers and research companies
who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud
services. Secure configuration is essential to ensuring secure
operation and data integrity. We have therefore documented
security recommendations that are consolidated in this document
to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can
write to secure@sap.com.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================