Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN498 _____________________________________________________________________ DATE : 13/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running SAP products. ===================================================================== https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2026.html _____________________________________________________________________ SAP Security Patch Day - May 2026 This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape. On 12th of May 2026, SAP security patch day saw the release of 15 new security notes. Note# Title Priority CVSS 3724838 [CVE-2026-34260] SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP) Product - SAP S/4HANA (SAP Enterprise Search for ABAP) Version(s) - SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 Critical 9.6 3733064 [CVE-2026-34263] Missing authentication check in SAP Commerce cloud configuration Product - SAP Commerce cloud Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21 Critical 9.6 3732471 [CVE-2026-34259] OS Command Injection Vulnerability in SAP Forecasting & Replenishment Product - SAP Forecasting & Replenishment Version(s) - SCM 702, 712, 713, 714 High 8.2 3730019 [CVE-2026-40135] OS Command Injection vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Product - SAP NetWeaver Application Server for ABAP and ABAP Platform Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 Medium 6.5 3718083 [CVE-2026-40133] Missing Authorization check in SAP S/4HANA Condition Maintenance Product - SAP S/4HANA Condition Maintenance Version(s) - S4CORE 102, 103, 104, 105, 106, 107, 108, 109 Medium 6.3 3727717 [CVE-2026-40137] Cross-Site Scripting (XSS) vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) Product - Business Server Pages Application (TAF_APPLAUNCHER) Version(s) - ST-PI 740, 758 Medium 6.1 3667593 [CVE-2026-0502] Cross Site Request Forgery (CSRF) in SAP BusinessObjects Business Intelligence Platform Product - SAP BusinessObjects Business Intelligence Platform Version(s) - ENTERPRISE 430, 2025, 2027 Medium 5.4 3721959 [CVE-2026-40132] Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) Product - SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard) Version(s) - SEM-BW 605, 700, 736, 746, 747, 748, 749, 800 Medium 5.4 3716450 [CVE-2025-68161] Potential Improper Certificate Validation in SAP Commerce Cloud (Apache Log4j) Product - SAP Commerce Cloud (Apache Log4j) Version(s) - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21 Medium 4.8 3726583 [CVE-2026-34258] Content Spoofing vulnerability in SAPUI5 (Search UI) Product - SAPUI5 (Search UI) Version(s) - SAPUI5 1.108, 1.120, 1.136, 1.142, 1.71, 1.84, 1.96 Medium 4.7 3728690 [CVE-2026-27682] Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) Product - SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages) Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 918 Medium 4.7 3713521 [CVE-2026-40136] Denial of service (DoS) in SAP Financial Consolidation Product - SAP Financial Consolidation Version(s) - FINANCE 1010 Medium 4.3 3718508 [CVE-2026-40134] Missing Authorization Check in SAP Incentive and Commission Management Product - SAP Incentive and Commission Management Version(s) - SAP_APPL 618, S4CORE 102, 103, 104, 105, 106, 107, 108, 109, EA-APPL 600, 604, 605, 606, 617 Medium 4.3 3735359 [CVE-2026-40129] Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform Product - SAP Application Server ABAP for SAP NetWeaver and ABAP Platform Version(s) - SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 Medium 4.3 3726962 [CVE-2026-40131] SQL Injection vulnerability in SAP HANA Deployment Infrastructure (HDI) deploy library Product - SAP HANA Deployment Infrastructure (HDI) deploy library Version(s) - XS_HDI_DEPLOYER 1.00 Low 3.4 To know more about the security researchers and research companies who have contributed for security patches of this month, visit here. SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio. Archived blogs from previous years are available here. If you have any comments or feedback about this post, you can write to secure@sap.com. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================