Posting Date: 2026/05/15
【Vulnerability Alert】SAP Releases Critical Security Advisories for Multiple Products
- Subject: 【Vulnerability Alert】SAP Releases Critical Security Advisories for Multiple Products
- Description:
- Forwarded from Taiwan Computer Emergency Response Team / Coordination Center Security Advisory TWCERTCC-200-202605-00000005
- 【CVE-2026-34260, CVSS: 9.6】 An SQL Injection vulnerability exists in SAP S/4HANA (SAP Enterprise Search for ABAP), allowing authenticated attackers to inject malicious SQL syntax via user-controlled inputs. These are passed to the underlying database without proper validation or filtering, potentially leading to unauthorized access to sensitive database information and affecting the confidentiality and availability of the application.
- 【CVE-2026-34263, CVSS: 9.6】 SAP Commerce Cloud allows unauthenticated attackers to perform malicious configuration uploads and code injection, leading to arbitrary server-side code execution. This may impact the confidentiality, integrity, and availability of the application.
- Affected Platforms:
- 【CVE-2026-34260】 SAP S/4HANA (SAP Enterprise Search for ABAP) Version(s) - SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816
- 【CVE-2026-34263】 SAP Commerce Cloud Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21
- Recommended Actions:
- Apply patches according to the solutions released on the official website: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html
Computer and Communication Center
Network Systems Division
