SAP has released security updates to address two critical flaws that could allow arbitrary code execution on affected systems, namely CVE-2019-17571 and CVE-2026-27685. The first vulnerability involves a code injection in the SAP Quotation Management Insurance application, while the second stems from insecure deserialization in the SAP NetWeaver Enterprise Portal Administration.
According to Onapsis, the application uses an outdated artifact of Apache Log4j 1.2.17 that is vulnerable to CVE-2019-17571, enabling an unprivileged attacker to execute arbitrary code remotely. CVE-2026-27685 involves missing or insufficient validation during deserialization of uploaded content, potentially allowing unauthorised content.
The disclosure comes as Microsoft shipped patches for 84 vulnerabilities across products, and Adobe announced patches for 80 vulnerabilities, with several critical flaws affecting Adobe Commerce, Magento Open Source, and Illustrator.
Hewlett Packard Enterprise also issued fixes for five Aruba Networking AOS-CX vulnerabilities, the most severe being CVE-2026-23813 (CVSS 9.8), an authentication bypass that could allow an unauthenticated remote actor to circumnavigate controls and reset the admin password in some cases.