Back

SAP Addresses Critical Vulnerabilities in Commerce Cloud and S/4HANA

Severity: High (Score: 70.5)

Sources: Bleepingcomputer, Cybersecuritynews, Heise.De

Summary

SAP has released security updates for May 2026, addressing 15 vulnerabilities, including two critical flaws in Commerce Cloud and S/4HANA. The first critical vulnerability (CVE-2026-34263) allows unauthenticated attackers to execute arbitrary code on servers due to a missing authentication check in SAP Commerce Cloud. The second critical flaw (CVE-2026-34260) permits authenticated attackers to perform SQL injection attacks, potentially gaining unauthorized access to sensitive database information. SAP has not identified any active exploitation of these vulnerabilities but has previously faced issues with similar flaws. The updates also include fixes for one high-severity and 11 medium-severity vulnerabilities. IT managers are advised to apply the patches promptly to mitigate risks. The vulnerabilities could significantly impact the confidentiality, integrity, and availability of affected systems. Key Points: • SAP released patches for 15 vulnerabilities, including two critical flaws. • CVE-2026-34263 allows unauthenticated code execution in Commerce Cloud. • CVE-2026-34260 enables SQL injection attacks in S/4HANA, risking database access.

Key Entities

  • Command Injection (attack_type)
  • Cross-site Request Forgery (csrf) (attack_type)
  • Denial-of-Service (attack_type)
  • Sql Injection (attack_type)
  • Supply Chain Attack (attack_type)
  • Cross-Site Scripting (xss) (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1195 - Supply Chain Compromise (mitre_attack)
  • CVE-2026-34259 (cve)
  • CVE-2026-34260 (cve)
  • CVE-2026-34263 (cve)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • CWE-287 - Improper Authentication (cwe)
  • Cwe-352 - Cross-Site Request Forgery (csrf) (cwe)
  • Cwe-434 - Unrestricted Upload Of File With Dangerous Type (cwe)
  • CWE-78 - OS Command Injection (cwe)
  • SAP Commerce Cloud (platform)
  • SAP Enterprise For ABAP (platform)
  • SAP Forecasting & Replenishment (platform)
  • SAP HANA Deployment Infrastructure (hdi) Deploy Library (platform)
  • SAP S/4HANA (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed