Critical severity9.6NVD Advisory· Published May 12, 2026· Updated May 12, 2026
CVE-2026-34260
CVE-2026-34260
Description
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
2News mentions
4- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026
- Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation FlawsThe Hacker News · May 18, 2026
- SAP Patches Critical S/4HANA, Commerce VulnerabilitiesSecurityWeek · May 12, 2026
- SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANABleepingComputer · May 12, 2026