A number of critical vulnerabilities impacting products from Adobe, Fortinet, Microsoft, and SAP have taken center stage in April’s Patch Tuesday releases.
Topping the list is an SQL injection vulnerability impacting SAP Business Planning and Consolidation and SAP Business Warehouse (CVE-2026-27681, CVSS score: 9.9) that could result in the execution of arbitrary database commands.
“The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed,” Onapsis said in an advisory.
In a potential attack scenario, a bad actor could abuse the affected upload-related functionality to run malicious SQL against BW/BPC data stores, extract sensitive data, and delete or corrupt database content.
“Manipulated planning figures, broken reports, or deleted consolidation data can undermine close processes, executive reporting, and operational planning,” Pathlock said. “In the wrong hands, this issue also creates a credible path to both stealthy data theft and overt business disruption.”
Another security vulnerability that deserves a mention is a critical-severity remote code execution in Adobe Acrobat Reader (CVE-2026-34621, CVSS score: 8.6) that has come under active exploitation in the wild.
That said, there are many unknowns at this stage. It is not clear how many people have been affected by the hacking campaign. Nor is there any information about who is behind the activity, who is being targeted, and what their motives could be.
Also patched by Adobe are five critical flaws in ColdFusion versions 2025 and 2023 that, if successfully exploited, could lead to arbitrary code execution, application denial-of-service, arbitrary file system read, and security feature bypass.
The vulnerabilities are listed below –
- CVE-2026-34619 (CVSS score: 7.7) – A path traversal vulnerability leading to security feature bypass
- CVE-2026-27304 (CVSS score: 9.3) – An improper input validation vulnerability leading to arbitrary code execution
- CVE-2026-27305 (CVSS score: 8.6) – A path traversal vulnerability leading to arbitrary file system read
- CVE-2026-27282 (CVSS score: 7.5) – An improper input validation vulnerability leading to security feature bypass
- CVE-2026-27306 (CVSS score: 8.4) – An improper input validation vulnerability leading to arbitrary code execution
Fixes have also been released for two critical FortiSandbox vulnerabilities that could result in authentication bypass and code execution –
- CVE-2026-39813 (CVSS score: 9.1) – A path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. (Fixed in versions 4.4.9 and 5.0.6)
- CVE-2026-39808 (CVSS score: 9.1) – An operating system command injection vulnerability in FortiSandbox that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. (Fixed in version 4.4.9)
The development comes as Microsoft addressed a staggering 169 security defects, including a spoofing vulnerability impacting Microsoft SharePoint Server (CVE-2026-32201, CVSS score: 6.5) that could allow an attacker to view sensitive information. The company said it’s being actively exploited, although there are no insights into the in-the-wild exploitation associated with the bug.
“SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made,” Kev Breen, senior director of threat research at Immersive, said.
“A secondary concern is that threat actors with access to SharePoint services could deploy weaponised documents or replace legitimate documents with infected versions that would allow them to spread to other hosts or victims moving laterally across the organization.”
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —
- ABB
- Amazon Web Services
- AMD
- Apple
- ASUS
- AVEVA
- Broadcom (including VMware)
- Canon
- Cisco
- Citrix
- CODESYS
- D-Link
- Dassault Systèmes
- Dell
- Devolutions
- dormakaba
- Drupal
- Elastic
- F5
- Fortinet
- Foxit Software
- FUJIFILM
- Gigabyte
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Grafana
- Hitachi Energy
- HP
- HP Enterprise (including Aruba Networking and Juniper Networks)
- Huawei
- IBM
- Ivanti
- Jenkins
- Lenovo
- Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitel
- Mitsubishi Electric
- MongoDB
- Moxa
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NETGEAR
- Node.js
- NVIDIA
- ownCloud
- Palo Alto Networks
- Phoenix Contact
- Progress Software
- QNAP
- Qualcomm
- Rockwell Automation
- Ruckus Wireless
- Samsung
- Schneider Electric
- Siemens
- SonicWall
- Splunk
- Spring Framework
- Supermicro
- Synology
- TP-Link
- WatchGuard, and
- Xiaomi
