By rssfeeds-admin On May 12, 2026, the software giant released its monthly security patch update to address 15 newly discovered security flaws across its software ecosystem.
Enterprise defenders must prioritize these updates immediately, as attackers frequently target enterprise platforms to extract sensitive corporate data or disrupt daily business operations.
Critical SQL Injection Vulnerability
The most severe threat in this release is a critical SQL injection vulnerability in the ABAP enterprise search component.
Tracked as CVE-2026-34260, this flaw carries a near-perfect severity score of 9.6 out of 10.
If exploited, attackers could execute arbitrary database queries to steal, modify, or delete highly sensitive business records without needing elevated network privileges.
A second critical vulnerability, CVE-2026-34263, also scored 9.6 and heavily impacts the SAP Commerce Cloud configuration.
This missing authentication check allows unauthorized threat actors to bypass security controls entirely, leaving customer-facing commerce platforms dangerously exposed to remote compromise and data theft.
According to the SAP Support Portal, administrators must apply these patches with priority to protect their entire software landscapes.
Beyond the two critical flaws, the May 2026 update addresses several other significant vulnerabilities that require prompt mitigation:
- CVE-2026-34259 (CVSS 8.2) — An OS command injection flaw in SAP Forecasting & Replenishment that could allow a privileged attacker to execute dangerous commands directly on the underlying server operating system
- CVE-2026-40135 (CVSS 6.5) — OS command injection in SAP NetWeaver AS for ABAP and ABAP Platform
- CVE-2026-40133 (CVSS 6.3) — Missing authorization check in SAP S/4HANA Condition Maintenance
- Multiple medium-severity cross-site scripting, denial-of-service, and missing authorization flaws across Business Objects, NetWeaver, and SAPUI5
Security teams are strongly advised to review their exposure to these secondary threats, as chained vulnerabilities often lead to deeper network infiltration.
Complete May 2026 Vulnerability Directory
The following table outlines all 15 security notes released during this cycle, structured for easy review and vulnerability management tracking.
| Note | CVE | Title | Affected Product | Severity | CVSS |
|---|---|---|---|---|---|
| 3724838 | CVE-2026-34260 | SQL Injection vulnerability | SAP S/4HANA (Enterprise Search for ABAP) | Critical | 9.6 |
| 3733064 | CVE-2026-34263 | Missing Authentication Check | SAP Commerce Cloud Configuration | Critical | 9.6 |
| 3732471 | CVE-2026-34259 | OS Command Injection | SAP Forecasting & Replenishment | High | 8.2 |
| 3730019 | CVE-2026-40135 | OS Command Injection | SAP NetWeaver AS for ABAP and ABAP Platform | Medium | 6.5 |
| 3718083 | CVE-2026-40133 | Missing Authorization Check | SAP S/4HANA Condition Maintenance | Medium | 6.3 |
| 3727717 | CVE-2026-40137 | Cross-Site Scripting (XSS) | Business Server Pages Application | Medium | 6.1 |
| 3667593 | CVE-2026-0502 | Cross-Site Request Forgery (CSRF) | SAP BusinessObjects Business Intelligence | Medium | 5.4 |
| 3721959 | CVE-2026-40132 | Missing Authorization Check | SAP Strategic Enterprise Management | Medium | 5.4 |
| 3716450 | CVE-2025-68161 | Improper Certificate Validation | SAP Commerce Cloud (Apache Log4j) | Medium | 4.8 |
| 3726583 | CVE-2026-34258 | Content Spoofing Vulnerability | SAPUI5 (Search UI) | Medium | 4.7 |
| 3728690 | CVE-2026-27682 | Reflected Cross-Site Scripting (XSS) | SAP NetWeaver Application Server ABAP | Medium | 4.7 |
| 3713521 | CVE-2026-40136 | Denial of Service (DoS) | SAP Financial Consolidation | Medium | 4.3 |
| 3718508 | CVE-2026-40134 | Missing Authorization Check | SAP Incentive and Commission Management | Medium | 4.3 |
| 3735359 | CVE-2026-40129 | Code Injection Vulnerability | SAP Application Server ABAP for NetWeaver | Medium | 4.3 |
| 3726962 | CVE-2026-40131 | SQL Injection Vulnerability | SAP HANA Deployment Infrastructure (HDI) | Low | 3.4 |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post SAP Patches Critical SQL Injection Flaw in SAP S/4HANA appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.