Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202605-00000005

[Content Description]
【CVE-2026-34260, CVSS: 9.6】 SAP S/4HANA (SAP Enterprise Search for ABAP) has an SQL injection vulnerability. This vulnerability allows authenticated attackers to inject malicious SQL syntax through user-controlled injection, which can then be transmitted to the underlying database without proper authentication or filtering. This could grant attackers unauthorized access to sensitive databases, impacting application confidentiality and availability.

【CVE-2026-34263, CVSS: 9.6】 SAP Commerce cloud allows unauthenticated attackers to execute malicious configuration uploads and code injection, leading to arbitrary server-side code execution, potentially affecting application confidentiality, integrity, and availability.

[Affected Platforms]
【CVE-2026-34260】 SAP S/4HANA (SAP Enterprise Search for ABAP) Version(s) - SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

【CVE-2026-34263】 SAP Commerce cloud Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21

[Recommended Actions]
Patch according to the solutions released on the official website: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html