Critical severity9.6NVD Advisory· Published May 12, 2026· Updated May 12, 2026

CVE-2026-34260

Description

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

Affected products

SAP/Sap Dbllm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
The Hacker News · May 18, 2026
SAP Patches Critical S/4HANA, Commerce Vulnerabilities
SecurityWeek · May 12, 2026
SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA
BleepingComputer · May 12, 2026

cvss	0.624
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000