Cyber Resilience

CVE-2026-34263

Critical

Published: 12 May 2026

Published
12 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0061 44.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34263 is a critical-severity Incomplete Cleanup (CWE-459) vulnerability in Sap (inferred from references). Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Improper security config enables unauthenticated RCE via input injection on public-facing SAP app (T1190); arbitrary server-side code execution maps to command/scripting interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66675Shared CWE-459
CVE-2025-66467Shared CWE-459
CVE-2025-0726Shared CWE-459
CVE-2025-0473Shared CWE-459
CVE-2026-3304Shared CWE-459
CVE-2025-21609Shared CWE-459
CVE-2026-28268Shared CWE-459
CVE-2026-33232Shared CWE-459

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-459

Mandates complete sanitization during cleanup so that shared resources (memory, caches, buffers) do not retain data across subjects.

addresses: CWE-459

Operational retention schedules mandate complete cleanup of temporary or residual sensitive data after use.

addresses: CWE-459

Termination of the non-persistent artifact guarantees cleanup of temporary state, directly countering incomplete cleanup weaknesses.

addresses: CWE-459

Fail-safe procedures can explicitly require cleanup of temporary state, resources, or privileges on failure to avoid leaving the system in an inconsistent state.

addresses: CWE-459

The explicit delete step when information is no longer needed implements the cleanup that this weakness omits.

addresses: CWE-459

Enforces complete cleanup and sanitization steps during disposal, closing gaps that leave data remnants on retired components.

References