medium2026-06-09SAP S/4HANACVE-2026-44744

SQL Injection in SAP S/4HANA Self-Service Procurement

SAP S/4HANA (Self-Service Procurement)

Our Take

SQL injection in a remote-enabled function module is inherently more exploitable than a local-only vulnerability. Every modern S/4HANA version is affected. Procurement data manipulation has direct financial and audit implications. Include in your next planned window.

Vulnerability Detail

SQL injection vulnerability in a remote-enabled function module within the SAP S/4HANA Self-Service Procurement component. An authenticated attacker can inject SQL statements through unsanitised input, potentially accessing or modifying procurement data beyond their authorisation.

Patch Action

Apply SAP Note 3751691.

Affected Versions

S4CORE 102

103

104

105

106

107

108

109

Patch Info

CVSS Score

6.5

SAP Note

3751691 ↗

CVE

CVE-2026-44744

Published

2026-06-09

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches