A quantity of crucial vulnerabilities impacting merchandise from Adobe, Fortinet, Microsoft, and SAP have taken heart stage in April’s Patch Tuesday releases.
Topping the checklist is an SQL injection vulnerability impacting SAP Enterprise Planning and Consolidation and SAP Enterprise Warehouse (CVE-2026-27681, CVSS rating: 9.9) that might end result within the execution of arbitrary database instructions.
“The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed,” Onapsis mentioned in an advisory.
In a possible assault state of affairs, a nasty actor may abuse the affected upload-related performance to run malicious SQL in opposition to BW/BPC knowledge shops, extract delicate knowledge, and delete or corrupt database content material.
“Manipulated planning figures, broken reports, or deleted consolidation data can undermine close processes, executive reporting, and operational planning,” Pathlock mentioned. “In the wrong hands, this issue also creates a credible path to both stealthy data theft and overt business disruption.”
One other safety vulnerability that deserves a point out is a critical-severity distant code execution in Adobe Acrobat Reader (CVE-2026-34621, CVSS rating: 8.6) that has come underneath energetic exploitation within the wild.
That mentioned, there are numerous unknowns at this stage. It shouldn’t be clear how many individuals have been affected by the hacking marketing campaign. Nor is there any details about who’s behind the exercise, who’s being focused, and what their motives may be.
Additionally patched by Adobe are 5 crucial flaws in ColdFusion variations 2025 and 2023 that, if efficiently exploited, may result in arbitrary code execution, software denial-of-service, arbitrary file system learn, and safety function bypass.
The vulnerabilities are listed beneath –
- CVE-2026-34619 (CVSS rating: 7.7) – A path traversal vulnerability resulting in safety function bypass
- CVE-2026-27304 (CVSS rating: 9.3) – An improper enter validation vulnerability resulting in arbitrary code execution
- CVE-2026-27305 (CVSS rating: 8.6) – A path traversal vulnerability resulting in arbitrary file system learn
- CVE-2026-27282 (CVSS rating: 7.5) – An improper enter validation vulnerability resulting in safety function bypass
- CVE-2026-27306 (CVSS rating: 8.4) – An improper enter validation vulnerability resulting in arbitrary code execution
Fixes have additionally been launched for 2 crucial FortiSandbox vulnerabilities that might end in authentication bypass and code execution –
- CVE-2026-39813 (CVSS rating: 9.1) – A path traversal vulnerability in FortiSandbox JRPC API that might permit an unauthenticated attacker to bypass authentication through specifically crafted HTTP requests. (Mounted in variations 4.4.9 and 5.0.6)
- CVE-2026-39808 (CVSS rating: 9.1) – An working system command injection vulnerability in FortiSandbox that might permit an unauthenticated attacker to execute unauthorized code or instructions through crafted HTTP requests. (Mounted in model 4.4.9)
The event comes as Microsoft addressed a staggering 169 safety defects, together with a spoofing vulnerability impacting Microsoft SharePoint Server (CVE-2026-32201, CVSS rating: 6.5) that might permit an attacker to view delicate data. The firm mentioned it is being actively exploited, though there are not any insights into the in-the-wild exploitation related to the bug.
“SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made,” Kev Breen, senior director of risk analysis at Immersive, mentioned.
“A secondary concern is that threat actors with access to SharePoint services could deploy weaponised documents or replace legitimate documents with infected versions that would allow them to spread to other hosts or victims moving laterally across the organization.”
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors over the previous a number of weeks to rectify a number of vulnerabilities, together with —
- ABB
- Amazon Net Companies
- AMD
- Apple
- ASUS
- AVEVA
- Broadcom (together with VMware)
- Canon
- Cisco
- Citrix
- CODESYS
- D-Hyperlink
- Dassault Systèmes
- Dell
- Devolutions
- dormakaba
- Drupal
- Elastic
- F5
- Fortinet
- Foxit Software program
- FUJIFILM
- Gigabyte
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Grafana
- Hitachi Power
- HP
- HP Enterprise (together with Aruba Networking and Juniper Networks)
- Huawei
- IBM
- Ivanti
- Jenkins
- Lenovo
- Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Purple Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitel
- Mitsubishi Electrical
- MongoDB
- Moxa
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NETGEAR
- Node.js
- NVIDIA
- ownCloud
- Palo Alto Networks
- Phoenix Contact
- Progress Software program
- QNAP
- Qualcomm
- Rockwell Automation
- Ruckus Wi-fi
- Samsung
- Schneider Electrical
- Siemens
- SonicWall
- Splunk
- Spring Framework
- Supermicro
- Synology
- TP-Hyperlink
- WatchGuard, and
- Xiaomi
