CVE-2026-34263 — SAP Commerce Cloud pre-auth RCE; CVE-2026-34260 — SAP S/4HANA Enterprise Search SQL injection

SAP's May 2026 Security Patch Day shipped CVE-2026-34263 (Commerce Cloud pre-auth RCE) and CVE-2026-34260 (S/4HANA Enterprise Search SQL injection). Commerce Cloud is internet-exposed by design (storefront workloads); S/4HANA Enterprise Search is typically segmented but reachable from internal-user populations. No ITW exploitation at week-end (SAP Security Patch Day May 2026; daily 2026-05-13). Swiss / EU public-sector deployments of S/4HANA in federal-administration ERP estates make the SQL-injection patch state worth verifying outside the standard quarterly window.