April 2026 SAP Security Patches

SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse

A low-privileged authenticated user can upload a file containing arbitrary SQL statements that are then executed against the database. Full read, modify, and delete access to database content is possible. Manipulated planning figures, broken reports, and deleted consolidation data can result.

Missing Authorization check in SAP ERP and SAP S/4HANA

An authenticated attacker can execute a specific ABAP program to overwrite any existing eight-character executable program without authorization. Impacts availability and integrity of the affected report. Confidentiality is not affected.

Code Injection vulnerability in SAP NetWeaver AS Java (Web Dynpro)

Code injection vulnerability in the Web Dynpro Java runtime. An attacker could potentially inject and execute arbitrary code through the affected component.

Open Redirect vulnerability in SAP NetWeaver AS ABAP

An unauthenticated attacker can craft malicious URLs that, when accessed by a victim, redirect them to an attacker-controlled page. Affects confidentiality and integrity through potential phishing vectors.

Missing Authorization check in SAP Business Analytics and SAP Content Management

Remote-enabled function modules allow an authenticated user to access sensitive information beyond their intended permissions. After patching, the vulnerable function modules are no longer accessible remotely.

Information Disclosure vulnerability in SAP HANA Cockpit and HANA Database Explorer

An information disclosure vulnerability in the HANA Cockpit and Database Explorer that could expose sensitive database configuration or data to unauthorized users.

CSS Injection vulnerability in SAP NetWeaver AS ABAP

A CSS injection vulnerability in SAP NetWeaver AS ABAP that could allow style injection attacks.

HotNews: Mini Shai-Hulud Supply Chain Attack Against SAP CAP npm Packages

A supply chain attack — dubbed Mini Shai-Hulud after the 2025 worm of the same name — compromised npm packages used by SAP Cloud Application Programming Model (CAP) developers, including mbt (MTA Build Tool), @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service. Malicious preinstall scripts ran during npm install and stole developer, GitHub, npm, cloud, CI/CD, and service account credentials. Stolen tokens were then used to propagate the malware to additional npm packages and create exfiltration repositories. The campaign expanded the 2025 Shai-Hulud worm and is reported to have compromised over 160 packages by May 2026.

Denial of Service vulnerability in SAP BusinessObjects BI Platform

A Denial of Service vulnerability in the BusinessObjects BI Platform. Originally released February 2026 — this April update is a minor correction to the Symptom section of the note only, no new patch required.

Denial of Service vulnerability in SAP BusinessObjects BI Platform

A Denial of Service vulnerability that could impact availability of the BusinessObjects BI Platform.

Insecure Session Management in SAP BusinessObjects BI Platform

Insecure session management vulnerability in the BusinessObjects BI Platform that could allow session-related attacks.

Reflected XSS vulnerability in SAP BusinessObjects BI Platform

A reflected cross-site scripting vulnerability in the BusinessObjects BI Platform that could allow script injection attacks against users.

Cross-Site Scripting (XSS) in SAP Supplier Relationship Management

An unauthenticated attacker can craft a malicious URL that, when accessed by a victim, executes malicious scripts in the victim's browser via the SRM Catalog ICF service. Confidentiality and integrity are affected.

Code Injection vulnerability in SAP Landscape Transformation

A low-severity code injection vulnerability in SAP Landscape Transformation.