-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day - May 2026
This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape.
On 12th of May 2026, SAP security patch day saw the release of 15 new security notes.
Note# | Title | Priority | CVSS |
|---|---|---|---|
[CVE-2026-34260] SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP) Product - SAP S/4HANA (SAP Enterprise Search for ABAP) | Critical | ||
[CVE-2026-34263] Missing authentication check in SAP Commerce cloud configuration Product - SAP Commerce cloud | Critical | ||
[CVE-2026-34259] OS Command Injection Vulnerability in SAP Forecasting & Replenishment Product - SAP Forecasting & Replenishment | High | ||
[CVE-2026-40135] OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Product - SAP NetWeaver Application Server for ABAP and ABAP Platform | Medium | ||
[CVE-2026-40133] Missing Authorization check in SAP S/4HANA Condition Maintenance Product - SAP S/4HANA Condition Maintenance | Medium | ||
[CVE-2026-40137] Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) Product - Business Server Pages Application (TAF_APPLAUNCHER) | Medium | ||
[CVE-2026-0502] Cross Site Request Forgery (CSRF) in SAP BusinessObjects Business Intelligence Platform Product - SAP BusinessObjects Business Intelligence Platform | Medium | ||
[CVE-2026-40132] Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) Product - SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) | Medium | ||
[CVE-2025-68161] Potential Improper Certificate Validation in SAP Commerce Cloud (Apache Log4j) Product - SAP Commerce Cloud (Apache Log4j) | Medium | ||
[CVE-2026-34258] Content Spoofing vulnerability in SAPUI5 (Search UI) Product - SAPUI5 (Search UI) | Medium | ||
[CVE-2026-27682] Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) Product - SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) | Medium | ||
[CVE-2026-40136] Denial of service (DoS) in SAP Financial Consolidation Product - SAP Financial Consolidation | Medium | ||
[CVE-2026-40134] Missing Authorization Check in SAP Incentive and Commission Management Product - SAP Incentive and Commission Management | Medium | ||
[CVE-2026-40129] Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform Product - SAP Application Server ABAP for SAP NetWeaver and ABAP Platform | Medium | ||
[CVE-2026-40131] SQL Injection vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library Product - SAP HANA Deployment Infrastructure (HDI) deploy library | Low |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.