The quick facts first: 15 new security notes, 1 update to a note from last month, and 1 Hot News with CVSS 0.0. Yes, you read that right. More on that curiosity at the end.
smarterSec Remark:
If you run SAP, patching is not optional. It never was. What Sebastian Schönhöfer showed in our Q1 2026 webinar (in German) should remove any remaining doubt: even a “moderate” CVSS 5.5 vulnerability is enough for a skilled attacker to cause real harm.
SQL Injection Strikes…Again (Note 3724838 | CVSS 9.6)
Similar to April’s top-priority note, we’re once again dealing with an SQL injection vulnerability. This time under note 3724838. It affects a broad range of SAP NetWeaver AS ABAP-based systems, including your S/4HANA landscape. With a CVSS score of 9.6, this is not one to put into your backlog: immediate action is required.
SAP Commerce Cloud in the Crosshairs (Note 3733064 | CVSS 9.6)
The second top-priority note targets SAP Commerce Cloud. A product that’s not in every customer’s portfolio, so some of you may have an easy pass this month. The technical foundation here is the Java stack, and if you’re running Commerce Cloud, applying the latest support packages should be your next step.
OS Command Execution on NW AS ABAP (Note 3732471)
Next up is note 3732471, again rooted in NetWeaver AS ABAP, fixing an OS Command Execution vulnerability — always among the most critical issue classes. The fix introduces new authority checks, which immediately raises the practical question: how does this affect my existing applications and roles?
A great tool to answer that is the ABAP Call Monitor, which helps identify which users have been executing the relevant code — and therefore whose roles may need adjustment to avoid losing functionality after the patch.
Need help with the ABAP Call Monitor? Reach out to smarterSec.
Farewell, RSBDCOS0 (Note 3730019)
Now a sentimental moment: with note 3730019, SAP is officially retiring report RSBDCOS0. A tool that many long-time Basis-folks will remember. It essentially acted as an ABAP-based shell, letting you interact with the file system directly from the SAP GUI.
From a security standpoint, retiring it makes complete sense. It was, by design, an OS command injection waiting to happen. The more interesting question is: why now? One likely answer is the RISE with SAP initiative, which shifts OS-level responsibility from customers to SAP. Having tools like RSBDCOS0 is not just risky, but incompatible with that operational model.
A Supply Chain Attack with CVSS 0.0? (Hot News 3747787)
This one deserves a second look. SAP Hot News note 3747787 addresses the SAP CAP supply chain attack (also known as “Mini Shai-Hulud”) and it carries a CVSS score of 0.0.
How can a supply chain attack score zero? Because CVSS measures exploitability and impact within a defined scope and in this case, the vulnerability has already been remediated at the source, meaning there’s no exploitable vector remaining by the time the note is published. The score reflects the post-fix state, not the severity of what happened.
Make no mistake though: this is extremely important for any customer doing development based on SAP’s Cloud Application Programming Model (CAP). If that’s you, this note warrants immediate attention regardless of the score.
Stay patched, stay secure, stay smart.
Are you confused by the monthly flood of notes?
Analyzing these notes manually takes time you might not have. If you want to ensure you never miss a critical fix, let us help you.
Check out our SAP Security Notes Service to streamline your patching process and keep your systems resilient.