CVE-2026-44748 – SAP NetWeaver / Spring Security

CVSS 9.9 CRITICAL Critical or Zero Day – Immediate Deployment

“These critical patches close serious paths to data exposure, service disruption, and platform compromise.”

SAP and VMware patched four Critical vulnerabilities across SAP NetWeaver, ABAP Platform, SAP NetWeaver Application Server Java, and Spring Security. CVE-2026-44748 has a CVSS score of 9.9, which is Critical severity. CVE-2026-27671 has a CVSS score of 9.8, which is Critical severity. CVE-2026-22732 has a CVSS score of 9.1, which is Critical severity. CVE-2026-40128 has a CVSS score of 9.0, which is Critical severity.

The SAP vulnerabilities cover signed XML tampering, improper RFC protocol validation, and path traversal through malicious HTTP logon requests. These issues can lead to unauthorized access, memory corruption, data exposure, and service disruption. The Spring Security issue can prevent expected HTTP security headers from being written. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-347
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.