Absoft Limited has been renamed to Applexus Limited.

Overview

SAP’s security patch day for July 2026 has seen the release of 16 OSS SAP security notes. Three notes have been classified as critical, six as high, seven as medium and one as low based on the CVSS v3.0 Rating.

Security Notes by CVSS v3 Base Score

Base score

Eight notes have been released for:

  • SAP NetWeaver

Two notes have been released for:

  • SAP Commerce Cloud

Single notes have been released for:

  • SAP Financial Supply Chain Management
  • SAP Enterprise Portal
  • SAP Fiori
  • SAP Web Dynpro
  • SAP Portfolio and Project Management
  • SAP HANA
  • SAP Integration Suite

Security Notes by Product Category

Vulnerabilities: July 2026 Highlights

[CVE-2026-44760] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on Business Server Pages) (SAP Note 3754659)

Due to a Cross-Site Scripting (XSS) vulnerability, applications based on Business Server Pages framework in SAP NetWeaver Application Server ABAP reflects unsanitized input into the HTTP response which allows an attacker to inject and execute arbitrary JavaScript code under certain conditions. Successful exploitation could allow the attacker to steal session information, perform authenticated actions on behalf of the victim user etc. This vulnerability has low impact on confidentiality and integrity of the data and no impact on application ‘s availability.

[CVE-2026-44769] SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO) (SAP Note 3537373)

SAP S/4HANA application Project Management (PPM-PRO) allows an attacker with high privileges to execute crafted database queries, exposing the backend database. This results in low impact on confidentiality, with no impact on integrity and availability of the application.

[CVE-2026-44747] Memory Corruption vulnerability in SAP NetWeaver Application Server ABAP (SAP Note 3747367)

SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability. This has high impact on confidentiality, integrity, and availability of the application.

[CVE-2026-34257] Open Redirect vulnerability in SAP NetWeaver Application Server ABAP (SAP Note 3692004)

Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

Search by a topic below...

Read Our Latest Articles

Didn’t find what you are looking for? Send us your questions.

We are here to help.
Colleagues at work at Absoft SAP Consultancy