SAP's May 2026 Patch Day addresses 15 vulnerabilities across multiple products. The two most severe are CVE-2026-34263, a missing authentication check in SAP Commerce Cloud that allows unauthenticated remote code execution (CVSS 9.6), and CVE-2026-34260, a SQL injection in SAP S/4HANA exploitable by a low-privilege attacker that affects both confidentiality and system availability (CVSS 9.6). The remaining fixes cover one high-severity issue and 11 medium-severity findings including command injection, XSS, CSRF, and denial-of-service vectors. Neither critical vulnerability has been observed exploited in the wild, but the combination of unauthenticated access and remote code execution in Commerce Cloud makes CVE-2026-34263 a high-priority patch target for any organization running SAP in internet-facing or hybrid configurations. Teams operating SAP Commerce Cloud or S/4HANA should apply May patches promptly; SAP Note guidance is available via the Onapsis blog and SAP's own Support Portal.