Ivanti, Fortinet, SAP, VMware, and n8n have released patches addressing multiple high-risk vulnerabilities that could be leveraged by attackers to bypass authentication mechanisms and execute arbitrary code.
One of the most severe issues affects Ivanti Xtraction (CVE-2026-8043, CVSS 9.6). This flaw allows a remote authenticated attacker to manipulate file names, enabling access to sensitive files and the ability to write malicious HTML content into web directories. Such exploitation could lead to data exposure and client-side attacks.
Fortinet also issued updates for two critical vulnerabilities impacting several of its products, including FortiAuthenticator and FortiSandbox environments:
- CVE-2026-44277 (CVSS 9.1): An access control flaw in FortiAuthenticator that could allow unauthenticated attackers to execute unauthorized commands through specially crafted requests.
- CVE-2026-26083 (CVSS 9.1): A missing authorization issue in FortiSandbox (including Cloud and PaaS versions) that could enable remote code execution via malicious HTTP requests.
SAP addressed two critical flaws within its enterprise platforms:
- CVE-2026-34260 (CVSS 9.6): An SQL injection vulnerability in SAP S/4HANA that could allow attackers to inject malicious queries, potentially exposing sensitive data and disrupting system availability. While it does not affect data integrity, it still poses significant confidentiality risks.
- CVE-2026-34263 (CVSS 9.6): A misconfiguration issue in SAP Commerce Cloud that allows unauthenticated users to upload malicious configurations and inject code, potentially leading to full server-side compromise.
Broadcom also resolved a high-severity vulnerability in VMware Fusion (CVE-2026-41702, CVSS 7.8). This flaw, caused by a time-of-check to time-of-use (TOCTOU) issue in a privileged binary, could allow local users with limited permissions to escalate privileges to root.
Meanwhile, automation platform n8n patched five critical vulnerabilities, all with CVSS scores of 9.4. These issues largely revolve around prototype pollution and improper input validation, which attackers could exploit to achieve remote code execution. Some flaws also allow attackers to inject malicious parameters or access sensitive server files, potentially resulting in full system compromise. Notably, one vulnerability served as a bypass for a previously identified issue, further increasing the risk.
In addition to these vendors, numerous other organizations have recently released security updates addressing various vulnerabilities. These include major players such as Microsoft, Cisco, Apple, Google, AWS, IBM, Intel, Palo Alto Networks, and many others, as well as updates across multiple Linux distributions and enterprise platforms.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
