CVE-2026-34260

Summary

SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input. The application directly concatenates this malicious user input into SQL queries, which are then passed to the underlying database without proper validation or sanitization. Upon successful exploitation, an attacker may gain unauthorized access to sensitive database information and could potentially crash the application. This vulnerability has a high impact on the confidentiality and availability of the application, while integrity remains unaffected.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP S/4HANA (SAP Enterprise Search for ABAP)SAP_BASIS 751affected
SAP_SESAP S/4HANA (SAP Enterprise Search for ABAP)SAP_BASIS 752affected
SAP_SESAP S/4HANA (SAP Enterprise Search for ABAP)SAP_BASIS 753affected
SAP_SESAP S/4HANA (SAP Enterprise Search for ABAP)SAP_BASIS 754affected
SAP_SESAP S/4HANA (SAP Enterprise Search for ABAP)SAP_BASIS 755affected
SAP_SESAP S/4HANA (SAP Enterprise Search for ABAP)SAP_BASIS 756affected
SAP_SESAP S/4HANA (SAP Enterprise Search for ABAP)SAP_BASIS 757affected
SAP_SESAP S/4HANA (SAP Enterprise Search for ABAP)SAP_BASIS 758affected
SAP_SESAP S/4HANA (SAP Enterprise Search for ABAP)SAP_BASIS 816affected

Weaknesses

  • CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References