SAP patches two critical CVSS 9.6 flaws in Commerce Cloud and S/4HANA - the ERP and e-commerce platforms behind most large retailers and global enterprises (CVE-2026-34263, CVE-2026-34260)

SAP's May Patch Day included two CVSS 9.6 critical flaws. CVE-2026-34263 in Commerce Cloud is a missing authentication check from improperly ordered Spring Security rules - unauthenticated attackers can upload configurations and inject code. CVE-2026-34260 in S/4HANA is a SQL injection in the ABAP Enterprise Search component that lets low-privilege authenticated users steal sensitive database records. Both land less than two weeks after four SAP npm packages were hit in the Mini Shai-Hulud attack, putting SAP customers under compounding patch pressure.

Check

Inventory SAP Commerce Cloud and S/4HANA instances. Check note application status in Solution Manager or SAP Support Portal. Search application logs for unusual configuration upload attempts.

Affected

SAP Commerce Cloud (all on-prem before patch) - CVE-2026-34263, CVSS 9.6. S/4HANA with ABAP Enterprise Search enabled - CVE-2026-34260, CVSS 9.6. Internet-facing Commerce Cloud is at acute risk.

Fix

Apply SAP Security Notes 3733064 (Commerce Cloud) and 3724838 (S/4HANA). Restrict Commerce Cloud admin endpoints to trusted IPs. Audit Enterprise Search query logs for SQL injection signatures.