CVE-2026-34263

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3733064
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

15 May 2026, 12:17

Type	Values Removed	Values Added
Summary	(en) Due to improper Spring Security configuration, SAP Commerce cloud allows an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.	(en) Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.

12 May 2026, 03:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 03:16

Updated : 2026-05-15 12:17

NVD link : CVE-2026-34263

Mitre link : CVE-2026-34263

CVE.ORG link : CVE-2026-34263

JSON object : View

Products Affected

No product.

CWE

CWE-459

Incomplete Cleanup

9.6 /10