SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for...

9.6 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H

Description

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

AI Analysis

SQL injection vulnerability allowing an attacker to inject malicious SQL statements through user-controlled input

Basic Information

ID CVE-2026-34260

Source sap

Published May 12, 2026 at 02:20

Affected Product

Vendor SAP_SE

Product SAP S/4HANA (SAP Enterprise Search for ABAP)

Version SAP_BASIS 751

Affected Versions SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 751
SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 752
SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 753
SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 754
SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 755
SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 756
SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 757
SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 758
SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 816

CWE Classification

CWE-89

AI Assessment

AI Score 9.6 / 10

AI Severity Critical

Vendor SAP

Product SAP S/4HANA (SAP Enterprise Search for ABAP)

Version SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

References

{
    "lastseen": "",
    "description": "SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.",
    "published": "2026-05-12T02:20:21.855Z",
    "modified": "2026-05-12T02:20:21.855Z",
    "type": "cve",
    "title": "SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)",
    "source": "sap",
    "references": "https://me.sap.com/notes/3724838\nhttps://url.sap/sapsecuritypatchday",
    "id": "CVE-2026-34260",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "SAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 751\nSAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 752\nSAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 753\nSAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 754\nSAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 755\nSAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 756\nSAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 757\nSAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 758\nSAP_SE SAP S/4HANA (SAP Enterprise Search for ABAP) SAP_BASIS 816",
    "sourceHref": "",
    "cvss": {
        "score": 9.6,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SAP S/4HANA (SAP Enterprise Search for ABAP)",
    "version": "SAP_BASIS 751",
    "vendor": "SAP_SE",
    "ai_description": "SQL injection vulnerability allowing an attacker to inject malicious SQL statements through user-controlled input",
    "ai_severity": "Critical",
    "ai_vendor": "SAP",
    "ai_product": "SAP S/4HANA (SAP Enterprise Search for ABAP)",
    "ai_version": "SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816",
    "ai_score": 9.6
}

SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)_CVE-2026-34260