SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA

SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in Commerce Cloud and S/4HANA. Commerce Cloud is an enterprise-grade e-commerce platform used by online stores owned by large retailers and global brands, while S/4HANA is a cloud-based Enterprise Resource Planning (ERP) suite that will replace the company's on-premises ECC ERP system. Tracked as CVE-2026-34263, the first critical flaw is a missing authentication check in SAP Commerce Cloud that allows unauthenticated attackers to execute code on vulnerable servers. "Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application," SAP says. The second critical vulnerability (CVE-2026-34260) enables attackers with basic privileges to inject malicious SQL statements in low-complexity SQL injection attacks. "The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization," according to SAP. "Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availab...