Back

Critical SQL Injection Vulnerability Discovered in SAP Products

Severity: High (Score: 72.8)

Sources: support.sap.com, Aktiencheck.De, Ccb.Belgium.Be, Heise.De

Summary

On April 14, 2026, SAP released a critical security patch addressing 19 vulnerabilities, including CVE-2026-27681, a severe SQL injection flaw with a CVSS score of 9.9. This vulnerability affects SAP Business Planning and Consolidation and SAP Business Warehouse, allowing authenticated users with low privileges to execute arbitrary SQL commands, potentially compromising sensitive database information. Another significant vulnerability, CVE-2026-34256, with a CVSS score of 7.1, allows attackers to overwrite ABAP reports in SAP ERP and SAP S/4HANA. SAP has classified the majority of the vulnerabilities as medium risk, with two rated as low threat. The Centre for Cybersecurity Belgium has urged immediate patching of affected systems to mitigate risks. SAP's recent security updates coincide with a period of declining investor confidence, as the company prepares for its quarterly earnings report. Organizations using SAP products are advised to apply the patches promptly to safeguard their systems. Key Points: • CVE-2026-27681 is a critical SQL injection vulnerability with a CVSS score of 9.9. • SAP has released patches for 19 vulnerabilities, including two rated as high risk. • Immediate patching is recommended to protect against potential data manipulation and unauthorized access.

Key Entities

  • Data Breach (attack_type)
  • Sql Injection (attack_type)
  • SAP (company)
  • Belgium (country)
  • CVE-2026-27681 (cve)
  • CVE-2026-34256 (cve)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • Employee Central (platform)
  • NetWeaver (platform)
  • Onboarding (platform)
  • People Intelligence Package (platform)
  • SAP BusinessObjects (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed