A quantity of vital vulnerabilities impacting merchandise from Adobe, Fortinet, Microsoft, and SAP have taken middle stage in April’s Patch Tuesday releases.
Topping the checklist is an SQL injection vulnerability impacting SAP Enterprise Planning and Consolidation and SAP Enterprise Warehouse (CVE-2026-27681, CVSS rating: 9.9) that might consequence within the execution of arbitrary database instructions.
“The weak ABAP program permits a low-privileged person to add a file with arbitrary SQL statements that may then be executed,” Onapsis mentioned in an advisory.
In a possible assault state of affairs, a foul actor might abuse the affected upload-related performance to run malicious SQL towards BW/BPC information shops, extract delicate information, and delete or corrupt database content material.
“Manipulated planning figures, damaged stories, or deleted consolidation information can undermine shut processes, government reporting, and operational planning,” Pathlock mentioned. “Within the fallacious fingers, this challenge additionally creates a reputable path to each stealthy information theft and overt enterprise disruption.”
One other security vulnerability that deserves a point out is a critical-severity distant code execution in Adobe Acrobat Reader (CVE-2026-34621, CVSS rating: 8.6) that has come below lively exploitation within the wild.
That mentioned, there are a lot of unknowns at this stage. It will not be clear how many individuals have been affected by the hacking marketing campaign. Nor is there any details about who’s behind the exercise, who’s being focused, and what their motives might be.
Additionally patched by Adobe are 5 vital flaws in ColdFusion variations 2025 and 2023 that, if efficiently exploited, might result in arbitrary code execution, software denial-of-service, arbitrary file system learn, and security characteristic bypass.
The vulnerabilities are listed under –
- CVE-2026-34619 (CVSS rating: 7.7) – A path traversal vulnerability resulting in security characteristic bypass
- CVE-2026-27304 (CVSS rating: 9.3) – An improper enter validation vulnerability resulting in arbitrary code execution
- CVE-2026-27305 (CVSS rating: 8.6) – A path traversal vulnerability resulting in arbitrary file system learn
- CVE-2026-27282 (CVSS rating: 7.5) – An improper enter validation vulnerability resulting in security characteristic bypass
- CVE-2026-27306 (CVSS rating: 8.4) – An improper enter validation vulnerability resulting in arbitrary code execution
Fixes have additionally been launched for 2 vital FortiSandbox vulnerabilities that might lead to authentication bypass and code execution –
- CVE-2026-39813 (CVSS rating: 9.1) – A path traversal vulnerability in FortiSandbox JRPC API that might permit an unauthenticated attacker to bypass authentication by way of specifically crafted HTTP requests. (Mounted in variations 4.4.9 and 5.0.6)
- CVE-2026-39808 (CVSS rating: 9.1) – An working system command injection vulnerability in FortiSandbox that might permit an unauthenticated attacker to execute unauthorized code or instructions by way of crafted HTTP requests. (Mounted in model 4.4.9)
The event comes as Microsoft addressed a staggering 169 security defects, together with a spoofing vulnerability impacting Microsoft SharePoint Server (CVE-2026-32201, CVSS rating: 6.5) that might permit an attacker to view delicate info. The firm mentioned it is being actively exploited, though there aren’t any insights into the in-the-wild exploitation related to the bug.
“SharePoint companies, particularly these used as inner doc shops, could be a treasure trove for menace actors seeking to steal information, particularly information which may be leveraged to power ransom funds utilizing double extortion methods by threatening to launch the stolen information if cost will not be made,” Kev Breen, senior director of menace analysis at Immersive, mentioned.
“A secondary concern is that menace actors with entry to SharePoint companies might deploy weaponised paperwork or exchange legit paperwork with contaminated variations that will permit them to unfold to different hosts or victims shifting laterally throughout the group.”
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors over the previous a number of weeks to rectify a number of vulnerabilities, together with —
- ABB
- Amazon Net Companies
- AMD
- Apple
- ASUS
- AVEVA
- Broadcom (together with VMware)
- Canon
- Cisco
- Citrix
- CODESYS
- D-Hyperlink
- Dassault Systèmes
- Dell
- Devolutions
- dormakaba
- Drupal
- Elastic
- F5
- Fortinet
- Foxit Software program
- FUJIFILM
- Gigabyte
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Grafana
- Hitachi Power
- HP
- HP Enterprise (together with Aruba Networking and Juniper Networks)
- Huawei
- IBM
- Ivanti
- Jenkins
- Lenovo
- Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Pink Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitel
- Mitsubishi Electrical
- MongoDB
- Moxa
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NETGEAR
- Node.js
- NVIDIA
- ownCloud
- Palo Alto Networks
- Phoenix Contact
- Progress Software program
- QNAP
- Qualcomm
- Rockwell Automation
- Ruckus Wi-fi
- Samsung
- Schneider Electrical
- Siemens
- SonicWall
- Splunk
- Spring Framework
- Supermicro
- Synology
- TP-Hyperlink
- WatchGuard, and
- Xiaomi
