SAP released 15 new security notes, including four critical fixes for NetWeaver, Commerce, and Data Hub, with CVE-2026-44748 in NetWeaver AS ABAP and ABAP Platform rated the most severe at 9.9. The flaws include SAML authentication bypass-style identity tampering, memory corruption in the SAP kernel, a Spring Security issue affecting Commerce Cloud and Data Hub, and a directory traversal bug in NetWeaver Java. #SAP #NetWeaver #CommerceCloud #DataHub #CVE-2026-44748 #CVE-2026-27671 #CVE-2026-22732 #CVE-2026-40128
Keypoints
- SAP issued 15 new security notes in its June 2026 patch cycle.
- CVE-2026-44748 is a critical XML Signature Wrapping flaw in NetWeaver AS ABAP and ABAP Platform.
- CVE-2026-27671 is a critical memory corruption issue in the SAP kernelβs RFC protocol handling.
- CVE-2026-22732 affects Commerce Cloud and Data Hub through a Spring Security-related header issue.
- CVE-2026-40128 is a critical directory traversal bug in NetWeaver Application Server Java.
Read More: https://www.securityweek.com/sap-patches-critical-netweaver-commerce-vulnerabilities/