SAP warns of critical flaws in NetWeaver and Commerce Cloud

SAP has addressed 16 vulnerabilities across multiple products as part of its July 2026 security updates, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter.

The first critical issue patched this month is a memory corruption security issue (tracked as CVE-2026-44747) stemming from an out-of-bounds write weakness in the NetWeaver Application Server ABAP (AS ABAP), the runtime environment, application server, and development platform for core SAP enterprise software.

“SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability,” SAP says. “This has high impact on confidentiality, integrity, and availability of the application.”

The second one (CVE-2026-27690) is an HTTP Request Smuggling vulnerability in SAP Approuter, a Node.js-based middleware library for cloud-based apps deployed on the company’s Business Technology Platform (SAP BTP).

Unauthenticated attackers can exploit this flaw via specially crafted HTTP requests to access user responses and trigger denial-of-service attacks on the targeted system.

The third critical flaw addressed today (tracked as CVE-2026-44761) was found in the SAP Commerce Cloud enterprise e-commerce platform and stems from default credentials that enable attackers to get valid access tokens and read or modify data via certain APIs.

SAP’s July 2026 advisory also lists fixes for six high-severity flaws, seven medium-severity ones, and one low-severity vulnerability, including DLL hijacking, open redirect, missing authorization checks, remote code execution, cross-site scripting (XSS), path traversal, SQL injection, denial-of-service, information disclosure, and security misconfigurations.

While the company has yet to find evidence that the vulnerabilities patched today have been exploited in attacks, CISA has added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog since November 2021, including two that were abused by ransomware gangs.

Most recently, SAP fixed 15 vulnerabilities as part of its June 2026 Security Patch package, and attackers compromised multiple official SAP npm packages in a supply chain attack aimed at stealing credentials from developers’ systems.

The German multinational software corporation has reported total revenues exceeding €36 billion in fiscal year 2025 and servers 99 of the 100 largest companies worldwide.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

SAP fixes critical flaws in NetWeaver and Commerce Cloud

CISA warns of actively exploited RCE flaws in Joomla extensions

Hackers exploit critical auth bypass in Gitea Docker image

Zimbra urges customers to patch critical web client XSS flaw

Google: Hackers exploited Zimbra zero-day in attacks on govt orgs

Claude Fable 5 stays free for paid users until July 19 as Anthropic buys more time

Australia warns of global campaign targeting vulnerable CMS platforms

‘Ghostcommit’ hides prompt injection in images to fool AI agents, steal secrets

How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.

Your Scanners Are Green. Your Pipeline Might Not Be. Here’s How to Close the Gap.

AI is a data-breach time bomb: Read the new report?utm_source=bleepingcomputer&utm_medium=referral&utm_campaign=bleepingcomputer_referral&utm_content=article

Overdue a password health-check? Audit your Active Directory for free

#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.

Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure

Read our posting guidelinese to learn what content is prohibited.