CVE-2026-34260
CRITICAL EPSS 36.9%
Published May 12, 20261mo ago · Modified Jun 17, 20261w ago
9.6 CVSS 3.1
Published May 12, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago
Description
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity None
Availability High
Threat Intelligence
EPSS Exploit Probability
36.9% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-89 SQL Injection Injection
References 2
- me.sap.com https://me.sap.com/notes/3724838
- url.sap https://url.sap/sapsecuritypatchday
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.