SAP has released 20 security patches in its April 2026 update, with the most critical being a SQL injection vulnerability in ABAP programs used by Business Planning and Consolidation software, scored at 9.9 out of 10 on the severity scale. The flaw allows low-privileged users to upload files with malicious SQL code that could lead to arbitrary code execution, potentially letting attackers extract sensitive financial data, alter reports, or corrupt database content. SAP fixed the issue by completely deactivating the vulnerable code, and while there's no evidence of active exploitation, users are urged to apply the patches immediately.