SAP has released its security update for February 2026, addressing 26 new vulnerabilities across its enterprise ecosystem, with the most severe being a critical code injection flaw in SAP CRM and SAP S/4HANA tracked as CVE-2026-0488, which carries a near-maximum CVSS score of 9.9.
According to SAP, the advisory warns that an authenticated attacker could exploit a flaw in a generic function module call and execute an arbitrary SQL statement, potentially resulting in full database compromise with high impact on confidentiality, integrity and availability.
Close behind is CVE-2026-0509 (CVSS 9.6), a missing authorisation check in the SAP NetWeaver Application Server ABAP that could allow a low-privileged user to perform background Remote Function Calls without the required S_RFC authorisation, undermining system integrity and availability.
Another high-severity issue, CVE-2026-23687 (CVSS 8.8), affects the trust verification process in SAP NetWeaver, enabling an attacker to obtain a valid signed message and send modified signed XML documents to the verifier through an XML Signature Wrapping flaw. Administrators are urged to patch promptly and review Security Note 3697099 to apply the necessary updates without delay.