SAP Patches Two Critical CVSS 9.6 Vulnerabilities in Commerce Cloud and S/4HANA
Tags Enterprise · Infrastructure
SAP released 17 security notes on May 12, 2026, including two critical-rated flaws: CVE-2026-34263, a missing authentication check in SAP Commerce Cloud allowing unauthenticated attackers to execute arbitrary server-side code, and CVE-2026-34260, an SQL injection in S/4HANA Enterprise Search allowing authenticated attackers to manipulate database queries. Both score CVSS 9.6. SAP also patched one high-severity and 11 medium-severity issues. While SAP has no evidence of active exploitation, CISA has added 14 SAP vulnerabilities to its Known Exploited Vulnerabilities catalog in recent years, including two abused in ransomware attacks.
Technical significance
SAP systems underpin the operations of 99 of the world's top 100 companies, making these critical vulnerabilities a supply-chain-scale risk. The Commerce Cloud flaw (CVE-2026-34263) is particularly dangerous because it requires no authentication and leads directly to code execution on internet-facing e-commerce platforms. Organizations running SAP should treat this as a 24-hour patching priority given the history of SAP exploits being weaponized in ransomware campaigns.