CVE-2026-34260

Published May 12, 2026

Last updated 2 days ago

CVSS critical 9.6
SAP

Overview

Description
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
Source
cna@sap.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Primary
Base score
9.6
Impact score
5.8
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Severity
CRITICAL

Weaknesses

cna@sap.com
CWE-89

Social media

Hype score
Not currently trending

  1. 【SAP S/4HANAとCommerce CloudにCritical、CVE-2026-34260/34263を優先適用】 SAPの2026年5月Security Patch Dayで、SAP S/4HANAのCVE-2026-34260とSAP Commerce CloudのCVE-2026-34263が修正されました。Singapore CSAは、いずれもCVSS 9.6のCriticalとして

    @01ra66it

    14 May 2026

    204 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Warning: #SAP patched a critical SQL injection vulnerability in SAP S/4HANA CVE-2026-34260 CVSS: 9.6 and missing authentication check in SAP Commerce cloud CVE-2026-34263 CVSS: 9.6 #Patch #Patch #Patch https://t.co/s94PU19HvL

    @CCBalert

    13 May 2026

    145 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. SAP、Commerce CloudとS/4HANAのCriticalな脆弱性に対処:CVE-2026-34263、CVE-2026-34260 | Codebook|Security News https://t.co/oWtheG7BBQ

    @ohhara_shiojiri

    13 May 2026

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. NEW THREAT INTEL: SAP May 2026 HotNews -- CVE-2026-34263 Commerce Cloud RCE + CVE-2026-34260 S/4HANA SQLi, both CVSS 9.6. https://t.co/yahuthQdMr #ThreatIntel #SAP #CVE https://t.co/KgJrffYnku

    @threadlinqs

    12 May 2026

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. SAP Patch Day: 0 credentials needed to own Commerce Cloud (CVE-2026-34263, CVSS 9.6). S/4HANA SQL injection CVE-2026-34260 already under active attack. Apply SAP Notes 3733064 + 3724838 before EOD. https://t.co/hi6Gy04edk #SAP #CVE #PatchNow #CyberSecurity #RCE

    @DecryptionDigst

    12 May 2026

    63 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Related CVEs

  1. Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.CVE-2026-34259
  2. Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.CVE-2026-34263
  3. Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.CVE-2026-34256
  4. Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.CVE-2026-27681
  5. Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability.CVE-2026-27674

References

Sources include official advisories and independent security research.