SAP has addressed 16 vulnerabilities across multiple products as part of its July 2026 security updates, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter.
The first critical issue patched this month is a memory corruption security issue (tracked as CVE-2026-44747) stemming from an out-of-bounds write weakness in the NetWeaver Application Server ABAP (AS ABAP), the runtime environment, application server, and development platform for core SAP enterprise software.
"SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability," SAP says. "This has high impact on confidentiality, integrity, and availability of the application."
The second one (CVE-2026-27690) is an HTTP Request Smuggling vulnerability in SAP Approuter, a Node.js-based middleware library for cloud-based apps deployed on the company's Business Technology Platform (SAP BTP).
Unauthenticated attackers can exploit this flaw via specially crafted HTTP requests to access user responses and trigger denial-of-service attacks on the targeted system.











