CVE-2026-34260CRITICAL 9.6EPSS p36.7%

CVE-2026-34260CVE-2026-34260

Description

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
EPSS0.47% probability of exploitation · percentile 36.7% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-12

Underlying weaknesses· 1

CWE-89

References

  1. https://me.sap.com/notes/3724838
  2. https://url.sap/sapsecuritypatchday

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-44744
CVE
CVE-2026-0488
CVE
CVE-2025-42957
CVE
CVE-2025-27429
CVE
CVE-2026-0501
CVE
CVE-2025-42880
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.