Changeflow GovPing Data Privacy & Cybersecurity Multiple Vulnerabilities in SAP Products Allow ...
Priority review Notice Added Final

Multiple Vulnerabilities in SAP Products Allow Remote Code Execution

Favicon for www.cert.ssi.gouv.fr CERT-FR Security Advisories
Published
Detected
Email

Summary

CERT-FR published advisory CERTFR-2026-AVI-0434 alerting organizations that multiple vulnerabilities have been discovered in SAP products. Affected systems span SAP NetWeaver Application Server ABAP and Java, S/4HANA, BusinessObjects, and numerous other SAP platforms across versions 700-816. The vulnerabilities expose organizations to remote code execution, SQL injection, cross-site scripting, denial of service, and data confidentiality breaches.

View original document View source feed page

What changed

CERT-FR issued an advisory detailing multiple security vulnerabilities discovered in SAP enterprise software products. The affected systems include SAP NetWeaver Application Server ABAP (versions 700-816), NetWeaver Java, S/4HANA (Private Cloud and On-Premise), BusinessObjects Business Intelligence Platform, HANA Cockpit, Human Capital Management, and numerous other SAP platforms and components.

Organizations running SAP enterprise systems should immediately identify whether their deployments are affected by reviewing the specific version numbers listed in the advisory. The vulnerabilities expose systems to remote code execution, SQL injection attacks, cross-site scripting, denial of service conditions, and potential data confidentiality breaches. Organizations should apply the latest SAP security patches referenced in SAP's April 2026 security bulletin and monitor for additional updates.

What to do next

  1. Identify SAP product versions in use from the list of affected systems
  2. Apply the latest SAP security patch to all affected systems
  3. Monitor SAP security bulletins for additional updates

Archived snapshot

Apr 14, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Premier Ministre S.G.D.S.N

Agence nationale
de la sécurité des
systèmes d'information

Paris, le 14 avril 2026 N° CERTFR-2026-AVI-0434 Affaire suivie par: CERT-FR

Avis du CERT-FR

Objet: Multiples vulnérabilités dans les produits SAP

Gestion du document

| Référence | CERTFR-2026-AVI-0434 |
| Titre | Multiples vulnérabilités dans les produits SAP |
| Date de la première version | 14 avril 2026 |
| Date de la dernière version | 14 avril 2026 |
| Source(s) | Bulletin de sécurité SAP april-2026 du 14 avril 2026 |
Une gestion de version détaillée se trouve à la fin de ce document.

Risques

  • Atteinte à la confidentialité des données
  • Contournement de la politique de sécurité
  • Déni de service à distance
  • Exécution de code arbitraire à distance
  • Injection de code indirecte à distance (XSS)
  • Injection SQL (SQLi)
  • Non spécifié par l'éditeur

Systèmes affectés

  • Business Analytics and Content Management versions S4HCMRXX 100, 101, 102, SAP_HRRXX 600, 604 et 608 sans le dernier correctif de sécurité
  • Business Planning and Consolidation and Business Warehouse versions HANABPC 810, BPC4HANA 300, SAP_BW 750, 752, 753, 754, 755, 756, 757, 758 et 816 sans le dernier correctif de sécurité
  • BusinessObjects Business Intelligence Platform versions ENTERPRISE 430, 2025 et 2027 sans le dernier correctif de sécurité
  • ERP and S/4 HANA (Private Cloud and On-Premise) versions SAP_FIN 618, 720, 730, EA-FIN 617, 700, SAPSCORE 135, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 602, 603, 604, 605 et 606 sans le dernier correctif de sécurité
  • HANA Cockpit and HANA Database Explorer version SAPHANACOCKPIT 2.0 sans le dernier correctif de sécurité
  • Human Capital Management for S/4HANA versions S4HCMRXX 100, 101, 102, SAP_HRRXX 600, 604 et 608 sans le dernier correctif de sécurité
  • Landscape Transformation versions DMIS 20111700, 20111710, 20111730, 20111731, 20111752, 2020, S4CORE 102, 103, 104, 105, 106, 107, 108 et 109 sans le dernier correctif de sécurité
  • Material Master Application versions S4CORE 102, 103, 104, 105, 106, 107, 108, 109, SCMBASIS 700, SCMBASIS 701, SCMBASIS 702, SCMBASIS 712, SCMBASIS 713 et SCMBASIS 714 sans le dernier correctif de sécurité
  • NetWeaver Application Server ABAP versions SAPBASIS 700, SAPBASIS 701, SAPBASIS 702, SAPBASIS 731, SAPBASIS 740, SAPBASIS 750, SAPBASIS 752, SAPBASIS 753, SAPBASIS 754, SAPBASIS 755, SAPBASIS 756, SAPBASIS 757, SAPBASIS 758 et SAPBASIS 816 sans le dernier correctif de sécurité
  • NetWeaver Application Server ABAP versions SAP_UI 758 et 816 sans le dernier correctif de sécurité
  • NetWeaver Application Server Java (Web Dynpro Java) version WD-RUNTIME 7.50 sans le dernier correctif de sécurité
  • S/4HANA (Private Cloud and On-Premise) versions S4CORE 105, 106, 107, 108, 109, FI-CA 606, 616, 617 et 618 sans le dernier correctif de sécurité
  • S/4HANA Backend OData Service (Manage Reference Structures) version S4CORE 109 sans le dernier correctif de sécurité
  • S/4HANA Frontend OData Service (Manage Reference Structures) version UIS4H 109 sans le dernier correctif de sécurité
  • S/4HANA OData Service (Manage Reference Equipment) version S4CORE 109 sans le dernier correctif de sécurité
  • S/4HANA OData Service (Manage Technical Object Structures) version S4CORE 109 sans le dernier correctif de sécurité
  • S4CORE (Manage Journal Entries) versions S4CORE 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité
  • Supplier Relationship Management (SICF Handler in SRM Catalog) versions SRM_SERVER 702, 713 et 714 sans le dernier correctif de sécurité

Résumé

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Documentation

Gestion détaillée du document

  1. le 14 avril 2026 Version initiale

Related changes

Favicon for www.cert.ssi.gouv.fr Multiple Microsoft Office Vulnerabilities Allow Remote Code Execution, Data Breach
Priority review Apr 15, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Multiple Vulnerabilities in Siemens Products Allow Remote Code Execution
Priority review Apr 14, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Multiple Windows Vulnerabilities Enable Code Execution, Privilege Escalation
Urgent Apr 15, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity

Get daily alerts for CERT-FR Security Advisories

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.cert.ssi.gouv.fr
CERT-FR Security Advisories cert.ssi.gouv.fr/avis
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CERT-FR.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CERT-FR
Published
April 14th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CERTFR-2026-AVI-0434

Who this affects

Applies to
Technology companies Government agencies Manufacturers
Industry sector
5112 Software & Technology
Activity scope
Enterprise software patching Vulnerability remediation Server administration
Geographic scope
France FR

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Privacy Financial Services

Browse Categories

Agriculture & Food Safety 64 AI Regulation 3 Banking & Finance 292 Consumer Protection 46 Courts & Legal 361 Data Privacy & Cybersecurity 76 Defense & National Security 51 Education 22 Energy 100 Environment 86 Environmental & Energy 11 Environmental Regulation 7 Financial Regulation 2 Government & Legislation 279 Government Operations 4 Healthcare 136 Healthcare & Life Sciences 3 Housing 16 Immigration 8 Immigration & Border Control 1 Insurance 58 Labor & Employment 113 Legal & Judicial 8 Pharma & Drug Safety 104 Public Health 2 Real Estate & Housing 3 Sanctions & Export Controls 1 Securities & Markets 103 Securities Regulation 6 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Commerce 2 Trade & Sanctions 135 Transportation 60

Get alerts for this source

We'll email you when CERT-FR Security Advisories publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!