SAP's May 2026 Security Patch Day includes fixes for 15 vulnerabilities, with critical issues in S/4HANA and Commerce. CVE-2026-34260 is an SQL injection vulnerability in S/4HANA caused by missing input validation, exploitable by authenticated users to affect confidentiality and availability. CVE-2026-34263 in SAP Commerce stems from an overly permissive security configuration and improper rule ordering, allowing unauthenticated attackers to upload malicious configurations and execute arbitrary code server-side. CVE-2026-34259 is an OS command injection vulnerability in Forecasting & Replenishment, exploitable by authenticated attackers. The patches address these and other medium and low severity issues across various SAP components. No known active exploitation has been reported.

Successful exploitation of CVE-2026-34260 could lead to unauthorized data disclosure and impact application availability in S/4HANA. CVE-2026-34263 allows unauthenticated attackers to execute arbitrary code on SAP Commerce servers, posing a severe risk of full system compromise. CVE-2026-34259 permits authenticated attackers to execute arbitrary OS commands, potentially leading to system control. The vulnerabilities collectively pose critical risks to confidentiality, integrity, and availability of affected SAP systems if left unpatched.

SAP has released official patches for all identified vulnerabilities as part of its May 2026 Security Patch Day. Organizations using affected SAP products should apply these patches immediately to remediate the critical code injection and command execution flaws. There are no reports of exploitation in the wild, but timely patching is strongly recommended to prevent potential attacks.