SAP has issued 15 security notes as part of its May 2026 Security Patch Day, with the most severe fixes addressing critical code injection flaws in S/4HANA and Commerce. These two high‑severity vulnerabilities carry a CVSS score of 9.6; S/4HANA is tracked as CVE-2026-34260 and is described as an SQL injection issue arising from missing input validation and sanitization, while Commerce is CVE-2026-34263 and involves a missing authentication check in cloud configuration.
An authenticated attacker could exploit the S/4HANA flaw to inject malicious SQL statements, and the Commerce flaw could allow an unauthenticated user to perform malicious configuration uploads and code injection, resulting in arbitrary server‑side code execution, according to Onapsis. SAP’s patch cycle also resolves a high‑severity OS command injection flaw in Forecasting & Replenishment (CVE-2026-34259).
The company notes that none of these vulnerabilities are yet known to be exploited in the wild, but users are urged to apply the patches promptly, especially in light of the recent Mini Shai‑Hulud supply chain attack affecting SAP components and more than 1,800 developers.