CVE-2026-34260 CRITICAL

CVE-2026-34260: SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)

Vendor Sap_Se
Product SAP S/4HANA (SAP Enterprise Search for ABAP)
Weakness CWE-89 · SQLi
Published May 12, 2026
Last update May 12, 2026
View on NVD All CVEs

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H

What the vulnerability does

01Description

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated