**SAP** has issued its May 2026 security advisory, patching 15 vulnerabilities affecting multiple products. The updates include fixes for two critical vulnerabilities found in **SAP Commerce Cloud** and **S/4HANA**, highlighting the need for immediate patching. ### Critical Vulnerabilities in Detail The first critical flaw, tracked as **CVE-2026-34263**, resides in **SAP Commerce Cloud**. This missing authentication check allows unauthenticated attackers to execute arbitrary code on vulnerable servers. According to **SAP**, the improper **Spring Security** configuration enables malicious configuration uploads and code injection, leading to severe confidentiality, integrity, and availability impacts. The second critical vulnerability, **CVE-2026-34260**, impacts **S/4HANA**. This SQL injection vulnerability allows attackers with basic privileges to inject malicious SQL statements. The application directly concatenates malicious user input into SQL queries without proper validation, potentially granting unauthorized access to sensitive database information and even causing application crashes. ### Other Vulnerabilities Addressed **SAP**'s [May 2026 security advisory](https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html) also includes fixes for one high-severity and 11 medium-severity issues. These include command injection, missing authorization checks, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service vulnerabilities. ### Prior Exploitation and CISA Involvement While **SAP** has not found evidence of in-the-wild exploitation for these newly patched vulnerabilities, the **CISA** [has added 14 **SAP** security flaws](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?f%5B0%5D=vendor_project%3A835) to its Known Exploited Vulnerabilities catalog in recent years. This includes two vulnerabilities that have been exploited in ransomware attacks, underscoring the importance of timely patching. Most recently, [multiple official **SAP** npm packages were compromised](https://www.bleepingcomputer.com/news/security/official-sap-npm-packages-compromised-to-steal-credentials/) in a supply-chain attack aimed at stealing credentials and authentication tokens from developers' systems. As the world's largest vendor of enterprise software, **SAP** serves 99 of the 100 largest companies worldwide. With total revenues exceeding €36 billion in fiscal year 2025, the company's security posture is critical to the global economy.  ## [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)