CVE-2026-34263

Published May 12, 2026

Last updated a month ago

CVSS critical 9.6

SAP

Overview

Description: Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.
Source: cna@sap.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.6
Impact score: 6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

cna@sap.com: CWE-459

Hype score: Not currently trending

CVE-2026-34263: Improper Spring Security Configuration in SAP Commerce Cloud - What It Means for Your Business and How to Respond https://t.co/ErElCtHoP9
@integ_sec
25 May 2026
33 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
SAP patches critical Commerce Cloud RCE and S/4HANA SQL injection (CVE-2026-34263, CVE-2026-34260) https://t.co/KVSTqRbr7I
@ToolsLib
14 May 2026
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2026-21510 2 - CVE-2026-46300 3 - CVE-2026-41096 4 - CVE-2026-0300 5 - CVE-2026-34263 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
14 May 2026
128 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
【SAP S/4HANAとCommerce CloudにCritical、CVE-2026-34260/34263を優先適用】 SAPの2026年5月Security Patch Dayで、SAP S/4HANAのCVE-2026-34260とSAP Commerce CloudのCVE-2026-34263が修正されました。Singapore CSAは、いずれもCVSS 9.6のCriticalとして
@01ra66it
14 May 2026
526 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Warning: #SAP patched a critical SQL injection vulnerability in SAP S/4HANA CVE-2026-34260 CVSS: 9.6 and missing authentication check in SAP Commerce cloud CVE-2026-34263 CVSS: 9.6 #Patch #Patch #Patch https://t.co/s94PU19HvL
@CCBalert
13 May 2026
152 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
SAP、Commerce CloudとS/4HANAのCriticalな脆弱性に対処：CVE-2026-34263、CVE-2026-34260 | Codebook｜Security News https://t.co/oWtheG7BBQ
@ohhara_shiojiri
13 May 2026
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending CVEs: 1 - CVE-2026-34078 2 - CVE-2026-31431 3 - CVE-2024-27867 4 - CVE-2026-3854 5 - CVE-2026-34263 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
13 May 2026
129 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
NEW THREAT INTEL: SAP May 2026 HotNews -- CVE-2026-34263 Commerce Cloud RCE + CVE-2026-34260 S/4HANA SQLi, both CVSS 9.6. https://t.co/yahuthQdMr #ThreatIntel #SAP #CVE https://t.co/KgJrffYnku
@threadlinqs
12 May 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
SAP Patch Day: 0 credentials needed to own Commerce Cloud (CVE-2026-34263, CVSS 9.6). S/4HANA SQL injection CVE-2026-34260 already under active attack. Apply SAP Notes 3733064 + 3724838 before EOD. https://t.co/hi6Gy04edk #SAP #CVE #PatchNow #CyberSecurity #RCE
@DecryptionDigst
12 May 2026
63 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes

Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.•CVE-2026-34259
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.•CVE-2026-34260
Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.•CVE-2026-34256
Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.•CVE-2026-27681
Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability.•CVE-2026-27674

References

Sources include official advisories and independent security research.

https://nvd.nist.gov/vuln/detail/CVE-2026-34263
https://me.sap.com/notes/3733064
https://url.sap/sapsecuritypatchday

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Related CVEs

References