Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in SAP Commerce Cloud and SAP S/4HANA

13 May 2026

SAP has released security updates to address critical vulnerabilities in SAP Commerce Cloud and SAP S/4HANA. Users and administrators of affected products are advised to update to the latest versions immediately.

Background

SAP has released security updates to address critical vulnerabilities affecting SAP Commerce Cloud (CVE-2026-34263), and SAP S/4HANA (CVE-2026-34260), as part of SAP's Security Patch Day in May 2026.  Both vulnerabilities have a Common Vulnerability Scoring System (CVSSv3.1) score of 9.6 out of 10.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

  • CVE-2026-34263: Due to an improper Spring Security configuration, an unauthenticated attacker could upload malicious configuration files to perform arbitrary code execution on the affected system.

  • CVE-2026-34260: Due to insufficient input validation in the SAP Enterprise Search for ABAP component, an authenticated attacker could inject malicious SQL statements to gain unauthorised access to sensitive database information or cause application crashes on the affected system.

Affected Products

These vulnerabilities affect the following SAP products and versions:

For CVE-2026-34263:

  • SAP Commerce Cloud versions: HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21

For CVE-2026-34260:

  • SAP S/4HANA (SAP Enterprise Search for ABAP) versions: SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html

https://nvd.nist.gov/vuln/detail/CVE-2026-34263

https://nvd.nist.gov/vuln/detail/CVE-2026-34260

https://www.bleepingcomputer.com/news/security/sap-fixes-critical-vulnerabilities-in-commerce-cloud-and-s-4hana/

Back to top