SAP Addresses Critical Vulnerabilities in Commerce Cloud and S/4HANA

SAP Addresses Critical Vulnerabilities in Commerce Cloud and S/4HANA

First seen 12 May 2026, 14:59 UTC BleepingcomputerHeise.DeCybersecuritynewsCsa.SgCcb.Belgium.Be 85% similarity 70.5

Article Content

Browse articles
ThreatCluster

On May 12, 2026, SAP released security updates for 15 vulnerabilities, including two critical flaws in Commerce Cloud and S/4HANA. The first critical vulnerability (CVE-2026-34263) allows unauthenticated attackers to execute arbitrary code due to a missing authentication check. The second critical flaw (CVE-2026-34260) enables attackers with basic privileges to perform SQL injection attacks, potentially accessing sensitive database information or crashing the application. SAP's advisory also includes fixes for one high-severity and 11 medium-severity issues. While no exploitation of these vulnerabilities has been confirmed, CISA has previously cataloged similar SAP vulnerabilities as exploited in the wild. Organizations using affected SAP products are urged to apply the patches promptly.

Key Points: • SAP released patches for 15 vulnerabilities, including two critical flaws. • CVE-2026-34263 allows unauthenticated code execution in Commerce Cloud. • CVE-2026-34260 enables SQL injection attacks in S/4HANA, risking data exposure.

ThreatCluster AI

Timeline

2026-05-12
SAP Patchday security updates released
SAP released security updates addressing 15 vulnerabilities, including two critical flaws affecting Commerce Cloud and S/4HANA.
Bleepingcomputer
2026-05-12
CVE-2026-34263 published
Critical flaw in SAP Commerce Cloud allows unauthenticated attackers to execute arbitrary code.
Bleepingcomputer
2026-05-12
CVE-2026-34260 published
Critical SQL injection vulnerability in SAP S/4HANA enables unauthorized access to databases.
Bleepingcomputer
2026-05-12
CVE-2026-34259 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE

Community

Browse all →