SAP has released 27 new and updated security notes on February 2026 security patch day, including two that address critical-severity vulnerabilities. The first critical note addresses CVE-2026-0488 (CVSS score of 9.9), a code injection bug in CRM and S/4HANA that can be exploited by authenticated attackers to execute arbitrary SQL statements, potentially leading to a full database compromise, according to Onapsis.
The second critical note resolves CVE-2026-0509 (CVSS score of 9.6), a missing authorization check in NetWeaver Application Server ABAP and ABAP Platform that could allow an authenticated, low-privileged user to perform background remote function calls without the required S_RFC authorisation, according to Onapsis.
In total, SAP also addressed high-severity defects across NetWeaver, SCM, ST-PI, BusinessObjects, and Commerce Cloud, including an XML signature wrapping issue in NetWeaver that could expose sensitive user information. The company notes that none of these vulnerabilities are said to have been exploited in the wild, but users are advised to update deployments promptly.