Ethical Hacking News
SAP has released critical security patches for its Commerce Cloud and S/4HANA platforms, addressing 15 vulnerabilities including two critical flaws that could allow attackers to execute arbitrary code. The updates are essential for businesses with access to these systems, which should prioritize patching as soon as possible.
SAP has released security updates for its Commerce Cloud and S/4HANA platforms. A total of 15 vulnerabilities have been addressed across multiple products, with two critical flaws in Commerce Cloud. A missing authentication check in SAP Commerce Cloud allows unauthenticated attackers to execute code on vulnerable servers. Another critical vulnerability enables attackers to inject malicious SQL statements into low-complexity SQL injection attacks. Businesses with access to Commerce Cloud and S/4HANA platforms should prioritize the released patches to mitigate security risks.
SAP, a leading provider of enterprise software solutions, has recently released security updates for its Commerce Cloud and S/4HANA platforms. The May 2026 security advisory addresses a total of 15 vulnerabilities across multiple products, with two critical flaws identified in Commerce Cloud that have significant implications for businesses relying on these systems.
One of the most severe vulnerabilities is a missing authentication check in SAP Commerce Cloud, which allows unauthenticated attackers to execute code on vulnerable servers. According to SAP, this vulnerability, tracked as CVE-2026-34263, enables an attacker to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution. This poses significant risks to the confidentiality, integrity, and availability of the application.
The second critical vulnerability, also tracked as CVE-2026-34260, enables attackers with basic privileges to inject malicious SQL statements into low-complexity SQL injection attacks. SAP notes that the application directly concatenates this malicious user input into SQL queries without proper validation or sanitization, which could lead to unauthorized access to sensitive database information and potentially crash the application.
In addition to these critical vulnerabilities, SAP's May 2026 security advisory also lists fixes for one high-severity flaw and 11 medium-severity issues, including command injection, missing authorization checks, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service. While SAP has not found evidence that any of the vulnerabilities patched today were exploited in the wild, it is worth noting that the company's security advisory catalog lists 14 SAP security flaws that have been added to the Known Exploited Vulnerabilities catalog by the US Cybersecurity and Infrastructure Security Agency (CISA) in recent years.
Moreover, multiple official SAP npm packages were compromised in a supply-chain attack aimed at stealing credentials and authentication tokens from developers' systems. This highlights the importance of regularly monitoring software dependencies and staying informed about potential security risks.
As the world's largest vendor of enterprise software, SAP serves 99 of the 100 largest companies worldwide and reported total revenues exceeding €36 billion in fiscal year 2025. The company's commitment to addressing critical vulnerabilities in its products demonstrates its dedication to ensuring the security and integrity of its customers' systems.
In the context of emerging threats like zero-day attacks, which can bypass both renderer and OS sandboxes, it is essential for businesses to remain vigilant about their software dependencies and to stay informed about potential security risks. By taking proactive measures to address these vulnerabilities, organizations can minimize the risk of data breaches and other security incidents.
To that end, SAP has released the necessary patches and updates for its Commerce Cloud and S/4HANA platforms. These patches should be prioritized by businesses with access to these systems, as they have the potential to mitigate significant security risks.
In conclusion, the recent security updates from SAP address critical vulnerabilities in Commerce Cloud and S/4HANA that have significant implications for businesses relying on these systems. By taking proactive measures to address these vulnerabilities, organizations can minimize the risk of data breaches and other security incidents.
Related Information:
https://www.ethicalhackingnews.com/articles/SAP-Addresses-Critical-Vulnerabilities-in-Commerce-Cloud-and-S4HANA-A-Comprehensive-Look-at-the-Security-Updates-ehn.shtml
https://www.bleepingcomputer.com/news/security/sap-fixes-critical-vulnerabilities-in-commerce-cloud-and-s-4hana/
https://nvd.nist.gov/vuln/detail/CVE-2026-34263
https://www.cvedetails.com/cve/CVE-2026-34263/
https://nvd.nist.gov/vuln/detail/CVE-2026-34260
https://www.cvedetails.com/cve/CVE-2026-34260/
Published: Tue May 12 07:30:37 2026 by llama3.2 3B Q4_K_M
