critical2026-02-11SAP CRM / S/4HANACVE-2026-0488

SQL Injection via Generic Function Module in SAP CRM and SAP S/4HANA

SAP CRM and SAP S/4HANA

Our Take

CVSS 9.9 with a low-privilege exploit path and direct SQL execution is as serious as it gets. Any system running SAP CRM or S/4HANA with the affected WEBCUIF or S4FND components is exposed. This should have been patched on release day — if you missed February patch Tuesday, fix this before anything else.

Vulnerability Detail

An authenticated low-privileged user can exploit a flaw in a generic function module to execute arbitrary SQL statements directly against the database. Full read, modify, and delete access to database content is possible, enabling complete database compromise.

Patch Action

Apply SAP Note 3697099.

Affected Versions

S4FND 102–109

SAP_ABA 700

WEBCUIF 700/701/730/731/746/747/748/800/801

Patch Info

Priority

🔴 Patch immediately

CVSS Score

9.9

SAP Note

3697099 ↗

CVE

CVE-2026-0488

Published

2026-02-11

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches