Through services such as SAP Security Assessment, Inprosec helps its clients improve the security levels of their SAP systems.
May 2026 Notes
Monthly Summary and Highlights
This month, the total number of notes was 15 (all new, with no updates), 5 fewer than in April. Two Hot News notes were published this month, one more than in the previous period. Regarding high-severity notes, there was 1, the same number as in April. Medium and low-severity notes will not be reviewed, so we will provide details on a total of 3 notes (all those with a CVSS score of 7 or higher).
We have a total of 15 notes for the entire month (all 15 are new and there are no updates from previous months).
We will review in detail a total of 3 notes, all of them high-severity and Hot News:
-
The highest-severity note of the month (CVSS 9.6) is a Hot News note related to “SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)”.
-
The second note with the same severity rating (CVSS 9.6) is another Hot News note related to “Missing authentication check in SAP Commerce cloud configuration”.
-
The final note we will review (CVSS 8.2) is high severity and concerns “OS Command Injection Vulnerability in SAP Forecasting & Replenishment”.
This month, the most common category was once again “Missing Authorization Check” (4/15 in the Patch Day).
The chart shows the classification of May’s notes, as well as the evolution and classification of the previous five months (considering only SAP Security Tuesday / Patch Day notes).
Full Details
The full details of the most relevant notes are as follows (in English):
-
SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP) (3724838): SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected. CVSS v3 Base Score 9,6/10 [CVE-2026-34260]
-
Missing authentication check in SAP Commerce cloud configuration (3733064): Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application. CVSS v3 Base Score 9,6/10 [CVE-2026-34263]
-
OS Command Injection Vulnerability in SAP Forecasting & Replenishment (3732471): Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability. CVSS v3 Base Score 8,2/10 [CVE-2026-34259]
Reference Links
References from SAP and Onapsis (May):
Affected Resources
The complete list of affected systems/components is as follows:
-
SAP S/4HANA (SAP Enterprise Search for ABAP): SAP_BASIS 751, 752, 753, 754, 755, 756, 757, 758, 816, 918
-
SAP Commerce Cloud: HY_COM 2205, COM_CLOUD 2211, 2211-JDK21
-
SAP Forecasting & Replenishment: SCM 702, 712, 713, 714