SAP security advisory – July 2026 monthly rollup (AV26-690)

Serial number: AV26-690
Date: July 14, 2026

On July 14, 2026, SAP published security advisories to address vulnerabilities in the following products. Included were critical updates for the following:

  • SAP Approuter node.js package - versions prior to 20.10.0
  • SAP Approuter node.js package - versions prior to 21.2.0
  • SAP Change and Transport System Attach Tool (ctsattach) - version CTS_UPLOAD_CLT 1
  • SAP Commerce Cloud - versions HY_COM 2205, COM_CLOUD 2211 and 2211-JDK21
  • SAP CRM (WebClient UI) - versions S4FND 104, 105 and 106
  • SAP Fiori (launchpad) - versions SAP_UI 754, 755, 756, 757, 758 and 816
  • SAP Integration Suite (Edge Integration Cell) - versions prior to 8.43.11
  • SAP HANA Extended Application Services classic model (User Self Service) - version HDB 2.00
  • SAP NetWeaver Application Server ABAP - versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53. 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, 9.19 and 9.20
  • SAP NetWeaver Application Server ABAP (applications based on Business Server Pages) - multiple versions
  • SAP NetWeaver Application Server Java (Configuration Wizard) - version ENGINEAPI 7.50
  • SAP NetWeaver Application Server Java (Web Container) - version LMCTC 7.50
  • SAP NetWeaver AS Java - versions SERVERCORE 7.50, CORE-TOOLS 7.50 and J2EE-APPS 7.50
  • SAP NetWeaver Enterprise Portal - version EP-RUNTIME 7.50
  • SAProuter on Microsoft Windows - versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, SAP_ROUTER 7.53, 7.54, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.17 and 9.18
  • SAP S/4 HANA (Create Single Payment) - versions S4CORE 102, 103, 104, 105, 106, 107, 108 and 109
  • SAP S/4HANA (Draft operation) - version S4CORE 108
  • SAP S/4HANA Project Management (PPM-PRO) - multiple versions

The Cyber Centre encourages users and administrators to review the provided web link, perform the suggested mitigations, and apply the necessary updates.

Date modified: