Home

Description

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

PUBLISHED Reserved 2026-03-26 | Published 2026-05-12 | Updated 2026-05-12 | Assigner sap




CRITICAL: 9.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command

Product status

Default status
unaffected

SAP_BASIS 751
affected

SAP_BASIS 752
affected

SAP_BASIS 753
affected

SAP_BASIS 754
affected

SAP_BASIS 755
affected

SAP_BASIS 756
affected

SAP_BASIS 757
affected

SAP_BASIS 758
affected

SAP_BASIS 816
affected

References

me.sap.com/notes/3724838

url.sap/sapsecuritypatchday

cve.org (CVE-2026-34260)

nvd.nist.gov (CVE-2026-34260)

Download JSON