- 122/2026
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released security updates to address vulnerabilities across multiple SAP products, including SAP S/4HANA, SAP BusinessObjects Business Intelligence Platform, SAP NetWeaver Application Server, SAP Commerce Cloud, SAP HANA, SAP Financial Consolidation, and SAP Incentive and Commission Management.
The addressed vulnerabilities could allow attackers to execute arbitrary SQL commands, obtain sensitive information, manipulate data, perform cross-site request forgery (CSRF) and cross-site scripting (XSS) attacks, bypass security restrictions, conduct denial-of-service (DoS) attacks, execute arbitrary code, and gain unauthorized access to the affected systems.
Sample of the addressed vulnerabilities:
1. SAP S/4HANA (SAP Enterprise Search for ABAP) SQL Injection Vulnerability (CVE-2026-34260):
- CVSS: 9.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
2. SAP Commerce Cloud Configuration Missing Authorization Check Vulnerability (CVE-2026-34263):
- CVSS: 9.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Access
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.