SAP Patches Critical SQL Injection Flaw in SAP S/4HANA - cyberpress.org

Cyber Security News Cybersecurity Vulnerability SAP Patches Critical SQL Injection Flaw Facebook Twitter Pinterest WhatsApp A severe vulnerability has struck the heart of enterprise resource planning systems this month, threatening organizations worldwide with potential data breaches. On May 12, 2026, the software giant released its monthly security patch update to address 15 newly discovered security flaws across its software ecosystem. Enterprise defenders must prioritize these updates immediately, as attackers frequently target enterprise platforms to extract sensitive corporate data or disrupt daily business operations. Critical SQL Injection Vulnerability The most severe threat in this release is a critical SQL injection vulnerability in the ABAP enterprise search component. Tracked as CVE-2026-34260, this flaw carries a near-perfect severity score of 9.6 out of 10. If exploited, attackers could execute arbitrary database queries to steal, modify, or delete highly sensitive business records without needing elevated network privileges. A second critical vulnerability, CVE-2026-34263, also scored 9.6 and heavily impacts the SAP Commerce Cloud configuration. This missing authentication check allows unauthorized threat actors to bypass security controls entirely, leaving customer-facing commerce platforms dangerously exposed to remote compromise and data theft. According to the SAP Support Portal, administrators must apply these patches with priority to protect their entire software landscapes. Beyond the two critical flaws, the May 2026 update addresses several other significant vulnerabilities that require prompt mitigation: CVE-2026-34259 (CVSS 8.2) — An OS command injection flaw in SAP Forecasting & Replenishment that could allow a privileged attacker to execute dangerous commands directly on the underlying server operating system CVE-2026-40135 (CVSS 6.5) — OS command injection in SAP NetWeaver AS for ABAP and ABAP Platform CVE-2026-40133 (CVSS 6.3) — Missing authorization check in SAP S/4HANA Condition Maintenance Multiple medium-severity cross-site scripting, denial-of-service, and missing authorization flaws across Business Objects, NetWeaver, and SAPUI5 Security teams are strongly advised to review their exposure to these secondary threats, as chained vulnerabilities often lead to deeper network infiltration. Complete May 2026 Vulnerability Directory The following table outlines all 15 security notes released during this cycle, structured for easy review and vulnerability management tracking. Note CVE Title Affected Product Severity CVSS 3724838 CVE-2026-34260 SQL Injection vulnerability SAP S/4HANA (Enterprise Search for ABAP) Critical 9.6 3733064 CVE-2026-34263 Missing Authentication Check SAP Commerce Cloud Configuration Critical 9.6 3732471 CVE-2026-34259 OS Command Injection SAP Forecasting & Replenishment High 8.2 3730019 CVE-2026-40135 OS Command Injection SAP NetWeaver AS for ABAP and ABAP Platform Medium 6.5 3718083 CVE-2026-40133 Missing Authorization Check SAP S/4HANA Condition Maintenance Medium 6.3 3727717 CVE-2026-40137 Cross-Site Scripting (XSS) Business Server Pages Application Medium 6.1 3667593 CVE-2026-0502 Cross-Site Request Forgery (CSRF) SAP BusinessObjects Business Intelligence Medium 5.4 3721959 CVE-2026-40132 Missing Authorization Check SAP Strategic Enterprise Management Medium 5.4 3716450 CVE-2025-68161 Improper Certificate Validation SAP Commerce Cloud (Apache Log4j) Medium 4.8 3726583 CVE-2026-34258 Content Spoofing Vulnerability SAPUI5 (Search UI) Medium 4.7 3728690 CVE-2026-27682 Reflected Cross-Site Scripting (XSS) SAP NetWeaver Application Server ABAP Medium 4.7 3713521 CVE-2026-40136 Denial of Service (DoS) SAP Financial Consolidation Medium 4.3 3718508 CVE-2026-40134 Missing Authorization Check SAP Incentive and Commission Management Medium 4.3 3735359 CVE-2026-40129 Code Injection Vulnerability SAP Application Server ABAP for NetWeaver Medium 4.3 3726962 CVE-2026-40131 SQL Injection Vulnerability SAP HANA Deployment Infrastructure (HDI) Low 3.4 Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google