CVE-2026-34260
CRITICAL · 9.6 EPSS 0.0%Published today, no KEV or PoC yet; vendor/defender chatter and urgency signals real threat, but early-stage triage lacks exploitation confirmation.
What: SQL injection in SAP S/4HANA Enterprise Search for ABAP (CVSS 9.6 CRITICAL) allowing authenticated attackers to inject malicious SQL and exfiltrate database contents or crash the application.
Why it matters: Published today with CVSS 9.6 and high impact to confidentiality/availability. Not yet KEV-listed and no public PoC confirmed in chatter, but social posts emphasize immediate patching and note no patch currently available. Affects SAP_BASIS 751-816. Initial triage posts from security vendors and practitioners suggest rapid awareness.
Where it's seen: Bulk CVE list posts, vendor advisories (Patchstack, OffSeq, OrizonCyber), and practitioner alerts on Bluesky and X urging immediate access restriction and monitoring for suspicious SQL activity pending patch availability.
RISK: CRITICAL — CVSS 9.6, authenticated SQL injection in widely-deployed ERP affecting confidentiality and availability.
Description
SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- Low
- User interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- None
- Availability
- High