April 2026 · 13 notes
Patch IntelligenceSAP Security Patches
Every SAP Security Note from Patch Tuesday, ranked by what actually matters to your landscape. Tier 1 products are in almost every SAP shop — missing a patch there is career-ending for BASIS admins.
1
Critical
2
High
8
Medium
2
Low
Tier 1 · Always covered
Products in virtually every SAP environment. Patch these first, every month.
SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse
A low-privileged authenticated user can upload a file containing arbitrary SQL statements that are then executed against the database. Full read, modify, and delete access to database content is possible. Manipulated planning figures, broken reports, and deleted consolidation data can result.
Missing Authorization check in SAP ERP and SAP S/4HANA
An authenticated attacker can execute a specific ABAP program to overwrite any existing eight-character executable program without authorization. Impacts availability and integrity of the affected report. Confidentiality is not affected.
Code Injection vulnerability in SAP NetWeaver AS Java (Web Dynpro)
Code injection vulnerability in the Web Dynpro Java runtime. An attacker could potentially inject and execute arbitrary code through the affected component.
Open Redirect vulnerability in SAP NetWeaver AS ABAP
An unauthenticated attacker can craft malicious URLs that, when accessed by a victim, redirect them to an attacker-controlled page. Affects confidentiality and integrity through potential phishing vectors.
Missing Authorization check in SAP Business Analytics and SAP Content Management
Remote-enabled function modules allow an authenticated user to access sensitive information beyond their intended permissions. After patching, the vulnerable function modules are no longer accessible remotely.
Information Disclosure vulnerability in SAP HANA Cockpit and HANA Database Explorer
An information disclosure vulnerability in the HANA Cockpit and Database Explorer that could expose sensitive database configuration or data to unauthorized users.
CSS Injection vulnerability in SAP NetWeaver AS ABAP
A CSS injection vulnerability in SAP NetWeaver AS ABAP that could allow style injection attacks.
Tier 2 · Covered when notable
Products with real deployments that have something worth acting on this month.
Denial of Service vulnerability in SAP BusinessObjects BI Platform
A Denial of Service vulnerability in the BusinessObjects BI Platform. Originally released February 2026 — this April update is a minor correction to the Symptom section of the note only, no new patch required.
Denial of Service vulnerability in SAP BusinessObjects BI Platform
A Denial of Service vulnerability that could impact availability of the BusinessObjects BI Platform.
Insecure Session Management in SAP BusinessObjects BI Platform
Insecure session management vulnerability in the BusinessObjects BI Platform that could allow session-related attacks.
Reflected XSS vulnerability in SAP BusinessObjects BI Platform
A reflected cross-site scripting vulnerability in the BusinessObjects BI Platform that could allow script injection attacks against users.
Cross-Site Scripting (XSS) in SAP Supplier Relationship Management
An unauthenticated attacker can craft a malicious URL that, when accessed by a victim, executes malicious scripts in the victim's browser via the SRM Catalog ICF service. Confidentiality and integrity are affected.
Tier 3 · Critical CVEs only
Niche or SaaS-only products. Covered here when severity warrants it.
Previous months