SAP has released 15 security patches in its May 2026 update, including fixes for two critical vulnerabilities in S/4HANA and Commerce, both rated 9.6 on the CVSS scale. The S/4HANA flaw is an SQL injection issue that could allow authenticated attackers to leak data, while the Commerce vulnerability involves a missing authentication check that enables unauthenticated users to execute arbitrary server-side code. SAP says there's no evidence of active exploitation, but the company urges users to apply the patches immediately, especially following a recent supply chain attack that compromised four SAP NPM packages.