SAP Patch Released for Critical Vulnerabilities in Commerce Cloud & S/4HANA
SAP Releases Critical Fixes for Commerce Cloud and S/4HANA Flaws
German multinational software corporation SAP has released a batch of security patches for its Commerce Cloud and S/4HANA platforms, addressing 15 vulnerabilities across multiple products.
- Two of these flaws have been classified as critical, impacting the confidentiality, integrity, and availability of the applications.
“This results in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application,” SAP warned in its security advisory.
Critical Vulnerability Affects S/4HANA
Another critical vulnerability affects S/4HANA, enabling attackers with basic privileges to inject malicious SQL statements through low-complexity SQL injection attacks.
“Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application,” SAP stated. “This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.”
Additional Patches Address Multiple Issues
In addition to the two critical flaws, SAP’s May 2026 security update includes fixes for one high-severity vulnerability and 11 medium-severity issues, including command injection, missing authorization checks, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service.
While SAP has not identified any instances of these vulnerabilities being exploited in the wild, the US Cybersecurity and Infrastructure Security Agency (CISA) has added 14 SAP security flaws to its Known Exploited Vulnerabilities catalog in recent years.
About SAP
As one of the world’s largest vendors of enterprise software, SAP serves 99 of the 100 largest companies worldwide and reported total revenues exceeding $36 billion in fiscal year 2025.
About Author
English