medium2026-07-14SAP S/4HANACVE-2026-44769

SQL Injection in SAP S/4HANA Portfolio and Project Management

SAP S/4HANA Project Management (Portfolio and Project Management)

Our Take

SQL injection in PPM warrants attention for organisations where project data has commercial sensitivity or feeds financial reporting. Authenticated-only reduces immediacy, but the next planned window is appropriate.

Vulnerability Detail

SQL injection vulnerability in the Portfolio and Project Management (PPM) module of SAP S/4HANA. An authenticated attacker can inject SQL statements through unsanitised input fields, potentially accessing or modifying project and portfolio data beyond their authorised scope.

Patch Action

Apply SAP Note 3537373. Verify affected versions in the official SAP Note.

Patch Info

CVSS Score

5.5

SAP Note

3537373

CVE

CVE-2026-44769

Published

2026-07-14

← All patches