SAP released fixes for 15 vulnerabilities on its May 2026 patch day, with two rated critical at CVSS 9.6. CVE-2026-34263 is a missing authentication check in SAP Commerce Cloud that allows unauthenticated remote code execution. CVE-2026-34260 is a SQL injection flaw in SAP S/4HANA that lets attackers with basic privileges inject SQL, impacting confidentiality and availability. The remaining issues include one high-severity and eleven medium-severity findings spanning command injection, missing authorization, XSS, CSRF, and denial-of-service. Neither critical CVE is known to be exploited in the wild at time of disclosure, but both carry maximum practical impact scores and target widely deployed enterprise Java platforms. Teams running SAP Commerce Cloud or S/4HANA should apply May 2026 patches immediately; the unauthenticated RCE vector in Commerce Cloud in particular requires no attacker foothold and should be treated as a priority upgrade.