SAP has released its June 2026 Security Patch package, addressing 15 vulnerabilities including four critical-severity flaws in SAP NetWeaver and SAP Commerce Cloud. The most severe issue, CVE-2026-44748 (CVSS 9.9), involves XML Signature Wrapping that could allow attackers to bypass authentication in SAML-based environments. Another critical flaw, CVE-2026-27671 (CVSS 9.8), enables unauthenticated attackers to cause memory corruption via crafted RFC requests.
In addition to these, SAP patched directory traversal in NetWeaver AS Java and Spring Security vulnerabilities in Commerce Cloud. The update also covers various high-severity issues including SQL injection, cross-site scripting (XSS), and missing authorization checks. Organizations are urged to prioritize these patches immediately, particularly for systems handling core business functions and user authentication.
Top comments (0)