Threat Intelligence / CVE / CVE-2026-34260

CVE-2026-34260

CVSS 9.6 (CRITICAL) · EPSS 0.0% · Published 2026-05-12

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

CVSS v3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H

Weaknesses (CWE)

CWE-89

Threats tracking this CVE

SAP May 2026 HotNews — CVE-2026-34263 Commerce Cloud Unauthenticated RCE & CVE-2026-34260 S/4HANA Enterprise Search SQL Injection (CVSS 9.6) — CRITICAL

References

Full detection coverage & IOCs for threats exploiting CVE-2026-34260 are available via the Threadlinqs MCP server (Purple tier). View plans →

Markdown version · Threadlinqs Intelligence