Enterprise software maker SAP on Tuesday announced the release of 17 new security notes as part of its January 2026 Security Patch Day. Four of the notes address critical-severity vulnerabilities.
The first note in SAP’s January 2026 advisory resolves CVE-2026-0501 (CVSS score of 9.9), a critical SQL injection bug in S/4HANA.
The issue impacts a Remote Function Call-enabled module relying on the ABAP Database Connectivity (ADBC) framework for the execution of a native SQL statement, explains Onapsis, which discovered and reported the bug.
“This SQL statement is provided through an input parameter and allows an attacker to execute arbitrary SQL commands. On successful exploitation, the system can be fully compromised,” the security firm notes.
The second critical bug that SAP addressed on Tuesday is CVE-2026-0500 (CVSS score of 9.6), a remote code execution (RCE) issue in Wily Introscope Enterprise Manager.
According to Onapsis, the application allows unauthenticated attackers to craft malicious JNLP (Java Network Launch Protocol) files that can be accessed via URLs.
When a victim clicks on such a URL, the Wily Introscope Server executes commands on the victim’s application, impacting the application’s confidentiality, integrity, and availability.
Third in line is CVE-2026-0498 (CVSS score of 9.1), which is described as a code injection vulnerability in S/4HANA that could lead to OS command injection and full system compromise.
The bug exists due to “a remote-enabled function module that allows an attacker with admin privileges to arbitrarily modify the source code of existing programs without enforcing essential authentication checks,” Onapsis explains.
The fourth critical-severity flaw addressed on SAP’s January 2026 Security Patch Day is CVE-2026-0491 (CVSS score of 9.1), a code injection defect in Landscape Transformation. According to Onapsis, this is the same vulnerable function, but “the affected component is shipped as a separate DMIS add-on”.
On Tuesday, SAP also released four security notes dealing with high-severity vulnerabilities in HANA database, Application Server for ABAP and NetWeaver RFCSDK, Fiori App, and NetWeaver Application Server ABAP and ABAP Platform.
Successful exploitation of these bugs could allow attackers to elevate their privileges to administrator, upload specially crafted content to execute arbitrary commands, escalate privilege due to a missing authorization, and misuse a remote-enabled function module for form routine execution.
The remaining nine security notes in SAP’s January 2026 advisory resolve medium- and low-severity flaws in ERP Central Component and S/4HANA, NetWeaver, Business Connector, Supplier Relationship Management, Fiori App, Business Server Pages Application, Identity Management, and NW AS Java UME User Mapping.
Organizations are advised to review the fresh SAP security notes and apply the patches as soon as possible, as vulnerable SAP applications are attractive targets for threat actors.
Related: SAP Patches Critical Vulnerabilities With December 2025 Security Updates
Related: SAP Patches Critical Flaws in SQL Anywhere Monitor, Solution Manager
Related: SAP Patches Critical Vulnerabilities in NetWeaver, Print Service, SRM
