A number of critical vulnerabilities affecting products from Adobe, Fortinet, Microsoft, and SAP are highlighted in April’s Patch Tuesday releases.
Topping the list is a SQL injection vulnerability affecting SAP Business Planning and Consolidation and SAP Business Warehouse (CVE-2026-27681, CVSS score: 9.9), which could lead to the execution of arbitrary database commands.
“A vulnerable ABAP program could allow a low-privileged user to upload and execute a file containing arbitrary SQL statements,” Onapsis said in the advisory.
In a potential attack scenario, a malicious attacker could exploit the affected upload-related functionality to execute malicious SQL against the BW/BPC data store, extract sensitive data, and delete or corrupt database content.
“Manipulating planning numbers, corrupting reports, or deleting consolidated data can undermine close processes, management reporting, and business planning,” Passlock said. “In the wrong hands, this issue could lead to covert data theft or outright business disruption.”
Another security vulnerability worth mentioning is Remote Code Execution in Adobe Acrobat Reader (CVE-2026-34621, CVSS score: 8.6), which has been exploited in the wild.
However, there are many unknowns at this stage. It is not clear how many people were affected by the hacking campaign. There is also no information about who is behind this activity, who is being targeted, and what their motives are.
Adobe has also patched five critical flaws in ColdFusion versions 2025 and 2023. Successful exploitation could lead to execution of arbitrary code, denial of service to the application, reading arbitrary file systems, or bypassing security features.
The vulnerabilities are listed below –
CVE-2026-34619 (CVSS score: 7.7) – Path traversal vulnerability that leads to security feature bypass CVE-2026-27304 (CVSS score: 9.3) – Improper input validation vulnerability that leads to arbitrary code execution CVE-2026-27305 (CVSS score: 8.6) – Path traversal of arbitrary files System read vulnerability CVE-2026-27282 (CVSS score: 7.5) – Improper input validation vulnerability that leads to security feature bypass CVE-2026-27306 (CVSS score: 8.4) – Improper input validation vulnerability that leads to arbitrary code execution
We also released fixes for two critical FortiSandbox vulnerabilities that could lead to authentication bypass and code execution.
CVE-2026-39813 (CVSS score: 9.1) – A path traversal vulnerability in the FortiSandbox JRPC API could allow an unauthenticated attacker to bypass authentication via a specially crafted HTTP request. (Fixed in versions 4.4.9 and 5.0.6) CVE-2026-39808 (CVSS score: 9.1) – An operating system command injection vulnerability in FortiSandbox could allow an unauthenticated attacker to execute unauthorized code or commands via a crafted HTTP request. (Fixed in version 4.4.9)
This development comes as Microsoft addresses a staggering 169 security flaws that could potentially allow attackers to view sensitive information, including a spoofing vulnerability affecting Microsoft SharePoint Server (CVE-2026-32201, CVSS score: 6.5). The company said that while it has no insight into actual exploits related to this bug, the bug is being actively exploited.
“SharePoint services, especially those used as internal document stores, can be a gold mine for attackers looking to steal data, especially data that could be used to force ransom payments using double extortion techniques by threatening to publish the stolen data if payment is not made,” said Kev Breen, senior director of threat research at Immersive.
“A second concern is that an attacker with access to the SharePoint service could deploy weaponized documents or replace legitimate documents with infected versions that could spread to other hosts and victims as they move laterally within the organization.”
Software patches from other vendors
Over the past few weeks, in addition to Microsoft, other vendors have released security updates that fix several vulnerabilities, including:
ABB Amazon Web Services AMD Apple ASUS AVEVA Broadcom (includes VMware) Canon Cisco Citrix CODESYS D-Link Dassault Systèmes Dell Devolutions dormakaba Drupal Elastic F5 Fortinet Foxit Software FUJIFILM Gigabyte GitLab Google Android and Pixel Google Chrome Google Cloud Grafana Hitachi Energy HP HP Enterprise (includes Aruba Networking and Juniper Networks) Huawei IBM Ivanti Jenkins Lenovo Linux Distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu MediaTek Mitel Mitsubishi Electric MongoDB Moxa Mozilla Firefox, Firefox ESR, and Thunderbird NETGEAR Node.js NVIDIA ownCloud Palo Alto Networks Phoenix Contact Progress Software QNAP Qualcomm Rockwell Automation Ruckus Wireless Samsung Schneider Electric Siemens SonicWall Splunk Spring Framework Supermicro Synology TP-Link WatchGuard, and Xiaomi
Source link
