critical2026-02-11SAP CRM / S/4HANACVE-2026-0488

SQL Injection via Generic Function Module in SAP CRM and SAP S/4HANA

SAP CRM and SAP S/4HANA

Our Take

CVSS 9.9 with a low-privilege exploit path and direct SQL execution is as serious as it gets. Any system running SAP CRM or S/4HANA with the affected WEBCUIF or S4FND components is exposed. This should have been patched on release day — if you missed February patch Tuesday, fix this before anything else.

Vulnerability Detail

An authenticated low-privileged user can exploit a flaw in a generic function module to execute arbitrary SQL statements directly against the database. Full read, modify, and delete access to database content is possible, enabling complete database compromise.

Patch Action

Apply SAP Note 3697099.

Affected Versions

S4FND 102–109

SAP_ABA 700

WEBCUIF 700/701/730/731/746/747/748/800/801

Patch Info

Timing

🔴 Patch immediately

CVSS Score

9.9

SAP Note

3697099 ↗

CVE

CVE-2026-0488

Published

2026-02-11

Timing recommendations are editorial. Verify against official SAP Security Notes before acting on production systems.

← All patches