{"api_version":"1","generated_at":"2026-05-12T11:09:07+00:00","cve":"CVE-2026-34260","urls":{"html":"https://cve.report/CVE-2026-34260","api":"https://cve.report/api/cve/CVE-2026-34260.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34260","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34260"},"summary":{"title":"SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)","description":"SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.","state":"PUBLISHED","assigner":"sap","published_at":"2026-05-12 03:16:11","updated_at":"2026-05-12 03:16:11"},"problem_types":["CWE-89","CWE-89 CWE-89: Improper Neutralization of Special Elements used in an SQL Command"],"metrics":[{"version":"3.1","source":"cna@sap.com","type":"Primary","score":"9.6","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.6","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://me.sap.com/notes/3724838","name":"https://me.sap.com/notes/3724838","refsource":"cna@sap.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://url.sap/sapsecuritypatchday","name":"https://url.sap/sapsecuritypatchday","refsource":"cna@sap.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34260","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34260","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"SAP_SE","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","version":"affected SAP_BASIS 751","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","version":"affected SAP_BASIS 752","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","version":"affected SAP_BASIS 753","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","version":"affected SAP_BASIS 754","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","version":"affected SAP_BASIS 755","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","version":"affected SAP_BASIS 756","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","version":"affected SAP_BASIS 757","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","version":"affected SAP_BASIS 758","platforms":[]},{"source":"CNA","vendor":"SAP_SE","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","version":"affected SAP_BASIS 816","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"SAP S/4HANA (SAP Enterprise Search for ABAP)","vendor":"SAP_SE","versions":[{"status":"affected","version":"SAP_BASIS 751"},{"status":"affected","version":"SAP_BASIS 752"},{"status":"affected","version":"SAP_BASIS 753"},{"status":"affected","version":"SAP_BASIS 754"},{"status":"affected","version":"SAP_BASIS 755"},{"status":"affected","version":"SAP_BASIS 756"},{"status":"affected","version":"SAP_BASIS 757"},{"status":"affected","version":"SAP_BASIS 758"},{"status":"affected","version":"SAP_BASIS 816"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.</p>"}],"value":"SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"CWE-89: Improper Neutralization of Special Elements used in an SQL Command","lang":"eng","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T02:20:21.855Z","orgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","shortName":"sap"},"references":[{"url":"https://me.sap.com/notes/3724838"},{"url":"https://url.sap/sapsecuritypatchday"}],"source":{"discovery":"UNKNOWN"},"title":"SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP)","x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"e4686d1a-f260-4930-ac4c-2f5c992778dd","assignerShortName":"sap","cveId":"CVE-2026-34260","datePublished":"2026-05-12T02:20:21.855Z","dateReserved":"2026-03-26T19:02:45.982Z","dateUpdated":"2026-05-12T02:20:21.855Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-12 03:16:11","lastModifiedDate":"2026-05-12 03:16:11","problem_types":["CWE-89","CWE-89 CWE-89: Improper Neutralization of Special Elements used in an SQL Command"],"metrics":{"cvssMetricV31":[{"source":"cna@sap.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":5.8}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34260","Ordinal":"1","Title":"SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Searc","CVE":"CVE-2026-34260","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34260","Ordinal":"1","NoteData":"SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.","Type":"Description","Title":"SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Searc"}]}}}