SAP has issued 15 new security notes, four of which address critical vulnerabilities in its software products, including NetWeaver and Commerce. The most severe, CVE-2026-44748, has a CVSS score of 9.9 and involves XML Signature Wrapping in SAML Authentication, allowing attackers to manipulate user identity information. Other critical vulnerabilities include CVE-2026-27671 (memory corruption in the SAP kernel), CVE-2026-22732 (Spring Security framework issue), and CVE-2026-40128 (directory traversal vulnerability).
These flaws can lead to unauthorized access and denial-of-service conditions. SAP's updates also include resolutions for various Apache Tomcat flaws and an authorization check issue.