GoKawiilSAP has released fixes for 15 vulnerabilities as part of its June 2026 Security Patch package, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud.
NetWeaver is SAP's core application platform and middleware stack that provides the foundation for many SAP business applications, including ERP systems, handling functions such as application serving, integration, authentication, user management, and data processing.
Commerce Cloud is an enterprise e-commerce platform (formerly Hybris). It enables organizations to build and manage online stores, digital sales channels, product catalogs, customer accounts, and order management systems for B2B and B2C commerce.
In this month's security bulletin, SAP lists the following critical vulnerabilities as being addressed:
CVE-2026-44748 (CVSS 9.9) – XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform, potentially allowing authentication bypass in SAML-based environments.
CVE-2026-27671 (CVSS 9.8) – Memory corruption flaw in SAP NetWeaver/ABAP Platform Application Server ABAP.
CVE-2026-22732 (CVSS 9.1) – Spring Security-related vulnerability affecting SAP Commerce Cloud and SAP Data Hub.
CVE-2026-40128 (CVSS 9.0) – Directory traversal vulnerability in SAP NetWeaver Application Server Java's Web Container.
“SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier,” reads the description for CVE-2026-44748.
“This may result in acceptance of tampered identity information leading to unauthorized access to sensitive user data and potential disruption of normal system usage.”
... continue reading