CVE-2026-34263

Summary

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Commerce cloud configurationHY_COM 2205affected
SAP_SESAP Commerce cloud configurationCOM_CLOUD 2211affected
SAP_SESAP Commerce cloud configuration2211-JDK21affected

Weaknesses

  • CWE-459: CWE-459: Incomplete Cleanup

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References