Enterprise software program maker SAP on Tuesday introduced the discharge of 15 new security notes as a part of its Might 2026 Safety Patch Day.
Probably the most extreme of the resolved vulnerabilities are important code injection points in S/4HANA and Commerce that would permit attackers to leak knowledge and execute arbitrary code. Each security defects have a CVSS rating of 9.6.
Tracked as CVE-2026-34260, the S/4HANA bug is described as an SQL injection challenge stemming from lacking enter validation and sanitization.
An authenticated attacker might exploit the weak spot to inject malicious SQL statements. The susceptible code solely permits learn entry to knowledge, and a profitable assault would solely have an effect on utility confidentiality and availability, SAP security agency Onapsis explains.
The important SAP Commerce vulnerability, tracked as CVE-2026-34263, is described as a lacking authentication examine affecting the cloud configuration.
“The vulnerability is attributable to a very permissive security configuration with improper rule ordering, permitting an unauthenticated person to carry out malicious configuration add and code injection, leading to arbitrary server-side code execution,” Onapsis explains.
SAP’s contemporary spherical of patches additionally resolves a high-severity OS command injection flaw in Forecasting & Replenishment. Tracked as CVE-2026-34259, it might permit authenticated attackers to execute arbitrary working system instructions.
The remaining 12 security notes launched on SAP’s Might 2026 Safety Patch Day deal with medium and low-severity bugs in NetWeaver, S/4HANA, Enterprise Server Pages Utility, BusinessObjects, Strategic Enterprise Administration, Commerce Cloud, SAPUI5, Monetary Consolidation, Incentive and Fee Administration, and the HANA Deployment Infrastructure (HDI) deploy library.
SAP makes no point out of any of those vulnerabilities being exploited within the wild, however customers are suggested to use the patches as quickly as potential.
The brand new security notes have been launched lower than two weeks after 4 SAP NPM packages have been injected with malware as a part of the Mini Shai-Hulud provide chain assault that affected over 1,800 builders.
