ACCORDING to SecurityWeek, SAP has released 15 new security notes as part of its March 2026 Security Patch Day, addressing several critical and high‑severity flaws. The most significant fixes cover a code injection vulnerability in FS-QUO, tracked as CVE-2019-17571 with a CVSS of 9.8, and an insecure deserialization flaw in NetWeaver, tracked as CVE-2026-27685 with a CVSS of 9.1; both could enable remote code execution under certain conditions.
A third critical note fixes CVE-2026-27689 (CVSS 7.7), a high‑severity DoS bug in Supply Chain Management that could be exploited by repeatedly calling an oversized loop parameter to exhaust resources. The remainder of the updates address medium‑severity issues across NetWeaver, Business One, Business Warehouse, S/4HANA, and other SAP components, including SSRF, missing authorization checks, SQL injection, XSS, insecure storage, DLL hijacking and additional DoS flaws.
SAP notes that none of the vulnerabilities are known to be exploited in the wild, but urges customers to apply updates promptly to mitigate potential risk.