Overview
SAP’s security patch day for May 2026 has seen the release of 16 OSS SAP security notes. Two notes have been classified as critical, one as high, 11 as medium and two as low based on the CVSS v3.0 Rating.
Security Notes by CVSS v3 Base Score
Five notes have been released for:
- SAP NetWeaver
Two notes have been released for:
- SAP HANA
- SAP Customer Engagement & Commerce
Single notes have been released for:
- SAP ERP Finance
- SAP Solution Manager
- SAP BusinessObjects
- SAP SCM
- SAP ERP Sales and Distribution
- SAP BPC
- SAP Incentive and Commission Management
Security Notes by Product Category
Vulnerabilities: May 2026 Highlights
[CVE-2026-27682] Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) (SAP Note 3728690)
Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the injected input is processed during web page generation, resulting in the execution of malicious content in the victim’s browser context. This could allow the attacker to access and/or modify information, impacting the confidentiality and integrity of the application, with no impact to availability.
[CVE-2026-40129] Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform (SAP Note 3735359)
Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application. If processed by the application, this input could be delivered to users subscribed to the channel and result in execution. Successful exploitation could enable the attacker to execute arbitrary code for other users, resulting in a low impact on the integrity, with no impact to the confidentiality and availability of the system.
[CVE-2026-40135] OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform (SAP Note 3730019)
An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, bypassing the logging mechanism. This allows the execution of unintended OS commands without detection, potentially impacting the integrity and availability of the application, with no impact on confidentiality.
[CVE-2026-40137] Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) (3727717)
SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker‑controlled sites, potentially exposing or altering sensitive information in the victim’s browser. This results in a low impact on confidentiality and integrity, with no impact on the availability of the application.
[CVE-2026-40134] Missing Authorization Check in SAP Incentive and Commission Management (SAP Note 3718508)
Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations. This vulnerability has a low impact on integrity with no impact on confidentiality and availability of the application.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
