""The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed," software security firm Onapsis explains."
""In a potential attack scenario, an attacker abuses the affected upload-related functionality to run malicious SQL against BW/BPC data stores. Once successfully exploited, the vulnerability can allow an attacker to extract sensitive financial data, alter reports, models, or consolidation figures, delete or corrupt database content, and create major disruption," Stross said."
""SAP resolved the issue by completely deactivating the executable code.""
SAP announced the release of 20 new and updated security notes on April 2026 security patch day. The most critical flaw, CVE-2026-27681, is a SQL injection vulnerability in Business Planning and Consolidation and Business Warehouse, with a CVSS score of 9.9. This flaw allows low-privileged users to execute arbitrary SQL statements, potentially leading to data tampering and extraction. SAP also addressed a high-severity missing authorization check in ERP and S/4 HANA, along with 16 medium-severity vulnerabilities affecting various SAP products.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]