CVE-2026-34260

CRITICAL

SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)

Title source: cna

Description

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

References (2)

Core 2

Core References

https://me.sap.com/notes/3724838

https://url.sap/sapsecuritypatchday

Scores

CVSS v3 9.6

EPSS 0.0001

EPSS Percentile 3.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (9)

SAP_SE/SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 751

SAP_SE/SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 752

SAP_SE/SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 753

SAP_SE/SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 754

SAP_SE/SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 755

SAP_SE/SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 756

SAP_SE/SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 757

SAP_SE/SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 758

SAP_SE/SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 816

Published May 12, 2026

Tracked Since May 12, 2026