The most important of the newly released security notes patches a missing authorization check in SAP NetWeaver Application Server for Java. Tracked as CVE-2021-37535, the vulnerability has a CVSS score of 10.

Two other critical vulnerabilities (CVSS score of 9.9) were addressed with Hot News security notes for NetWeaver. These include CVE-2021-38163, an unrestricted file upload bug in Visual Composer 7.0 RT, and CVE-2021-37531, a code injection issue in Knowledge Management.

Both vulnerabilities require for an attacker to have minimum privileges on the affected system for exploitation, which prevents the bugs from having a maximum CVSS score.