medium2026-07-14SAP S/4HANACVE-2026-44769
SQL Injection in SAP S/4HANA Portfolio and Project Management
SAP S/4HANA Project Management (Portfolio and Project Management)
Our Take
SQL injection in PPM warrants attention for organisations where project data has commercial sensitivity or feeds financial reporting. Authenticated-only reduces immediacy, but the next planned window is appropriate.
Vulnerability Detail
SQL injection vulnerability in the Portfolio and Project Management (PPM) module of SAP S/4HANA. An authenticated attacker can inject SQL statements through unsanitised input fields, potentially accessing or modifying project and portfolio data beyond their authorised scope.
Patch Action
Apply SAP Note 3537373. Verify affected versions in the official SAP Note.
Patch Info