Ivanti, Fortinet, n8n, SAP, and VMware have launched security fixes for numerous vulnerabilities that could possibly be exploited by unhealthy actors to bypass authentication and execute arbitrary code.
Topping the checklist is a important flaw impacting Ivanti Xtraction (CVE-2026-8043, CVSS rating: 9.6) that could possibly be exploited to realize data disclosure or client-side assaults.
“Exterior management of a file identify in Ivanti Xtraction earlier than model 2026.2 permits a distant authenticated attacker to learn delicate information and write arbitrary HTML information to an online listing, resulting in data disclosure and potential client-side assaults,” Ivanti stated in an advisory.
Fortinet printed advisories for 2 important shortcomings affecting FortiAuthenticator and FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS that would lead to code execution –
- CVE-2026-44277 (CVSS rating: 9.1) – An improper entry management vulnerability in FortiAuthenticator which will enable an unauthenticated attacker to execute unauthorized code or instructions through crafted requests. (Mounted in FortiAuthenticator variations 6.5.7, 6.6.9, and eight.0.3)
- CVE-2026-26083 (CVSS rating: 9.1) – A lacking authorization vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI which will enable an unauthenticated attacker to execute unauthorized code or instructions through HTTP requests. (Mounted in FortiSandbox variations 4.4.9 and 5.0.2, FortiSandbox Cloud model 5.0.6, and FortiSandbox PaaS variations 4.4.9. and 5.0.2)
SAP additionally shipped fixes for 2 important vulnerabilities –
- CVE-2026-34260 (CVSS rating: 9.6) – An SQL injection vulnerability in SAP S/4HANA
- CVE-2026-34263 (CVSS rating: 9.6) – A lacking authentication verify within the SAP Commerce cloud configuration
“The vulnerability is brought on by an excessively permissive security configuration with improper rule ordering, permitting an unauthenticated consumer to carry out malicious configuration add and code injection, leading to arbitrary server-side code execution,” Onapsis stated about CVE-2026-34263.
Then again, CVE-2026-34260 could possibly be exploited by an attacker to inject malicious SQL statements and probably affect the confidentiality and availability of the applying. Nevertheless, because the affected code solely permits learn entry to knowledge, the vulnerability doesn’t compromise the integrity of the applying.
“It permits a low-privileged, authenticated attacker to inject malicious SQL code through user-controlled enter, probably exposing delicate database data and crashing the applying,” Pathlock stated.
Patches have additionally been launched by Broadcom for a high-severity flaw in VMware Fusion (CVE-2026-41702, CVSS rating: 7.8) that would pave the way in which for native privilege escalation. The problem has been addressed in model 26H1.
“VMware Fusion comprises a TOCTOU (Time-of-check Time-of-use) vulnerability that happens throughout an operation carried out by a SETUID binary,” Broadcom stated. “A malicious actor with native non-administrative consumer privileges could exploit this vulnerability to escalate privileges to root on the system the place Fusion is put in.”
Spherical off the checklist is a set of 5 important vulnerabilities impacting n8n –
- CVE-2026-42231 (CVSS rating: 9.4) – A vulnerability within the xml2js library used to parse XML request our bodies in n8n’s webhook handler that permits prototype air pollution through a crafted XML payload, enabling an authenticated consumer with permission to create or modify workflows to realize distant code execution on the n8n host. (Mounted in n8n variations 1.123.32, 2.17.4, and a pair of.18.1)
- CVE-2026-42232 (CVSS rating: 9.4) – An authenticated consumer with permission to create or modify workflows may obtain international prototype air pollution through the XML Node, resulting in distant code execution when mixed with different nodes exploiting the prototype air pollution. (Mounted in n8n variations 1.123.32, 2.17.4, and a pair of.18.1)
- CVE-2026-44791 (CVSS rating: 9.4) – A bypass for CVE-2026-42232 that would lead to distant code execution on the n8n host. (Mounted in n8n variations 1.123.43, 2.20.7, and a pair of.22.1)
- CVE-2026-44789 (CVSS rating: 9.4) – An authenticated consumer with permission to create or modify workflows may obtain international prototype air pollution through an unvalidated pagination parameter within the HTTP Request node, resulting in distant code execution on the n8n host. (Mounted in n8n variations 1.123.43, 2.20.7, and a pair of.22.1)
- CVE-2026-44790 (CVSS rating: 9.4) – An authenticated consumer with permission to create or modify workflows may inject CLI flags on the Git node’s Push operation, enabling an attacker to learn arbitrary information from the n8n server and leading to full compromise. (Mounted in n8n variations 1.123.43, 2.20.7, and a pair of.22.1)
Software program Patches from Different Distributors
Safety updates have additionally been launched by different distributors over the previous a number of weeks to rectify numerous vulnerabilities, together with –
- ABB
- Adobe
- Amazon Internet Providers
- AMD
- Apple
- ASUS
- Atlassian
- Axis Communications
- AVEVA
- Canon
- Cisco
- CODESYS
- ConnectWise
- Dell
- Devolutions
- Drupal
- F5
- Fortra
- Foxit Software program
- Fujitsu
- GitLab
- GnuTLS
-
Google
Android
and
Pixel - Google Chrome
- Google Cloud
- Grafana
- Hikvision
- Hitachi Power
- Honeywell
- HP
-
HP Enterprise
(together with Aruba Networking and
Juniper Networks
) - Huawei
- IBM
- Intel
- Jenkins
- Lenovo
-
Linux distributions
AlmaLinux
,
Alpine Linux
,
Amazon Linux
,
Arch Linux
,
Debian
,
Gentoo
,
Oracle Linux
,
Mageia
,
Purple Hat
,
Rocky Linux
,
SUSE
, and
Ubuntu - MediaTek
- Meta WhatsApp
- Microsoft
- Mitel
- Mitsubishi Electrical
- MongoDB
- Moxa
-
Mozilla
Firefox, Firefox ESR, and Thunderbird - NVIDIA
- OPPO
- Palo Alto Networks
- Phoenix Contact
- Phoenix Applied sciences
- Progress Software program
- QNAP
- Qualcomm
- React
- Ricoh
- Samsung
- Schneider Electrical
- Siemens
- Sophos
- Spring Framework
- Supermicro
- Synology
- Tenable
- TP-Hyperlink
- WatchGuard
-
Zoom
, and - Zyxel
