Jump to the main content block
  1. Home
  2. Information Security
  3. Vulnerability Alert

【Vulnerability Alert】SAP released critical information security advisories for multiple products under its brand.

publish date : 2026-05-15 update date : 2026-05-15

Source: Ministry of education information & communication security contingency platform

"" "" ""

Publication Number TACERT-ANA-2026051404051010 Publication Time 2026-05-14 16:31:11
Incident Type ANA-Vulnerability Alert Discovery Time 2026-05-14 16:31:11
Impact Level Low  
[Subject]
【Vulnerability Alert】SAP released critical information security advisories for multiple products under its brand.
[Content]

Forwarded from TWCERTCC-200-202605-00000005

【CVE-2026-34260, CVSS: 9.6】 SAP S/4HANA (SAP Enterprise Search for ABAP) contains an SQL injection vulnerability, allowing an authenticated attacker to inject malicious SQL syntax through user-controlled input and transmit it to the underlying database without proper validation or filtering, which may result in the attacker obtaining unauthorized access privileges to sensitive databases and affect the confidentiality and availability of the application.

【CVE-2026-34263, CVSS: 9.6】 SAP Commerce cloud allows an unauthenticated attacker to execute malicious configuration uploads and code injection, resulting in arbitrary server-side code execution, which may affect the confidentiality, integrity, and availability of the application.

Information Sharing Level: WHITE (The information content is information that may be publicly disclosed)
[Affected Platform]

【CVE-2026-34260】 SAP S/4HANA (SAP Enterprise Search for ABAP) Version(s) - SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

【CVE-2026-34263】 SAP Commerce cloud Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21
[Recommended Actions]

Perform patching according to the solution released on the official website: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html

[Reference]
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer: Computer Center
Click Num:
Print