Cyber Resilience

CVE-2026-34259

High

Published: 12 May 2026

Published
12 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0020 9.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34259 is a high-severity Command Injection (CWE-77) vulnerability in Sap (inferred from references). Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands. Successful exploitation could allow the attacker to read or modify any…

more

system data or shut down the system, resulting in a complete compromise of confidentiality, integrity, and availability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct OS command execution via application flaw (CWE-77) enables T1059; SAP exposure enables T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44869Shared CWE-77
CVE-2026-44866Shared CWE-77
CVE-2025-57685Shared CWE-77
CVE-2025-60021Shared CWE-77
CVE-2026-2333Shared CWE-77
CVE-2025-67728Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2024-54794Shared CWE-77
CVE-2025-60801Shared CWE-77
CVE-2025-55294Shared CWE-77

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References