SAP
Vulnerabilities and patches across SAP's enterprise stack — NetWeaver Application Server (Java and ABAP), S/4HANA, Business Technology Platform, AppRouter, and Commerce Cloud — including the monthly SAP Security Patch Day cycle.
SAP AppRouter HTTP request smuggling in Node.js middleware
Unauthenticated HTTP request smuggling in SAP AppRouter — the Node.js middleware fronting Business Technology Platform. NVD scored it 9.1. A crafted request can desynchronize the request-response pipeline, exposing other users' responses and knocking the service offline.
SAP NetWeaver AS ABAP memory-corruption via logical errors in memory management
Authenticated memory-corruption in NetWeaver Application Server ABAP that NVD scored 9.9 — a logged-in attacker can leverage logical errors in memory management to read data, modify data, or take the application down. Fixed in the SAP July 2026 Security Patch Day.
SAP Commerce Cloud ships sample OAuth2 client with publicly documented credentials
SAP Commerce Cloud retained a sample OAuth2 client whose credentials were documented in SAP Help Portal. If left unchanged, an unauthenticated attacker can use those well-known values to obtain a valid access token and read or modify tenant data via certain APIs. NVD scored 9.1.
