SAP Patches Critical SQL Injection Flaw in SAP S/4HANA

A severe vulnerability has struck the heart of enterprise resource planning systems this month, threatening organizations worldwide with potential data breaches.

On May 12, 2026, the software giant released its monthly security patch update to address 15 newly discovered security flaws across its software ecosystem.

Enterprise defenders must prioritize these updates immediately, as attackers frequently target enterprise platforms to extract sensitive corporate data or disrupt daily business operations.

Critical SQL Injection Vulnerability

The most severe threat in this release is a critical SQL injection vulnerability in the ABAP enterprise search component.

Tracked as CVE-2026-34260, this flaw carries a near-perfect severity score of 9.6 out of 10.

If exploited, attackers could execute arbitrary database queries to steal, modify, or delete highly sensitive business records without needing elevated network privileges.

A second critical vulnerability, CVE-2026-34263, also scored 9.6 and heavily impacts the SAP Commerce Cloud configuration.

This missing authentication check allows unauthorized threat actors to bypass security controls entirely, leaving customer-facing commerce platforms dangerously exposed to remote compromise and data theft.

According to the SAP Support Portal, administrators must apply these patches with priority to protect their entire software landscapes.

Beyond the two critical flaws, the May 2026 update addresses several other significant vulnerabilities that require prompt mitigation:

• CVE-2026-34259 (CVSS 8.2) — An OS command injection flaw in SAP Forecasting & Replenishment that could allow a privileged attacker to execute dangerous commands directly on the underlying server operating system
• CVE-2026-40135 (CVSS 6.5) — OS command injection in SAP NetWeaver AS for ABAP and ABAP Platform
• CVE-2026-40133 (CVSS 6.3) — Missing authorization check in SAP S/4HANA Condition Maintenance
• Multiple medium-severity cross-site scripting, denial-of-service, and missing authorization flaws across Business Objects, NetWeaver, and SAPUI5

Security teams are strongly advised to review their exposure to these secondary threats, as chained vulnerabilities often lead to deeper network infiltration.

Complete May 2026 Vulnerability Directory

The following table outlines all 15 security notes released during this cycle, structured for easy review and vulnerability management tracking.

Note	CVE	Title	Affected Product	Severity	CVSS
3724838	CVE-2026-34260	SQL Injection vulnerability	SAP S/4HANA (Enterprise Search for ABAP)	Critical	9.6
3733064	CVE-2026-34263	Missing Authentication Check	SAP Commerce Cloud Configuration	Critical	9.6
3732471	CVE-2026-34259	OS Command Injection	SAP Forecasting & Replenishment	High	8.2
3730019	CVE-2026-40135	OS Command Injection	SAP NetWeaver AS for ABAP and ABAP Platform	Medium	6.5
3718083	CVE-2026-40133	Missing Authorization Check	SAP S/4HANA Condition Maintenance	Medium	6.3
3727717	CVE-2026-40137	Cross-Site Scripting (XSS)	Business Server Pages Application	Medium	6.1
3667593	CVE-2026-0502	Cross-Site Request Forgery (CSRF)	SAP BusinessObjects Business Intelligence	Medium	5.4
3721959	CVE-2026-40132	Missing Authorization Check	SAP Strategic Enterprise Management	Medium	5.4
3716450	CVE-2025-68161	Improper Certificate Validation	SAP Commerce Cloud (Apache Log4j)	Medium	4.8
3726583	CVE-2026-34258	Content Spoofing Vulnerability	SAPUI5 (Search UI)	Medium	4.7
3728690	CVE-2026-27682	Reflected Cross-Site Scripting (XSS)	SAP NetWeaver Application Server ABAP	Medium	4.7
3713521	CVE-2026-40136	Denial of Service (DoS)	SAP Financial Consolidation	Medium	4.3
3718508	CVE-2026-40134	Missing Authorization Check	SAP Incentive and Commission Management	Medium	4.3
3735359	CVE-2026-40129	Code Injection Vulnerability	SAP Application Server ABAP for NetWeaver	Medium	4.3
3726962	CVE-2026-40131	SQL Injection Vulnerability	SAP HANA Deployment Infrastructure (HDI)	Low	3.4

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post SAP Patches Critical SQL Injection Flaw in SAP S/4HANA appeared first on Cyber Security News.