Five major enterprise vendors released critical security patches this week, addressing a combined total of vulnerabilities spanning remote code execution, SQL injection, authentication bypass, and privilege escalation. Security teams should prioritize these patches, particularly given the high CVSS scores and the track record of rapid exploitation after vendor disclosure.
Ivanti Xtraction — CVE-2026-8043 (CVSS 9.6)
The highest-severity vulnerability in this week's batch affects Ivanti Xtraction, the company's business intelligence and reporting platform.
CVE-2026-8043 is classified as an external file control vulnerability that allows attackers to perform unauthorized file read and write operations, potentially enabling client-side attacks against users of the Xtraction interface. With a CVSS score of 9.6, this is rated critical.
| Detail | Value |
|---|---|
| CVE | CVE-2026-8043 |
| CVSS Score | 9.6 (Critical) |
| Type | External File Control |
| Impact | Unauthorized file read/write, client-side attacks |
| Fixed Version | Xtraction 2026.2 |
Ivanti has faced significant scrutiny in 2026 following multiple zero-day exploitations across its Connect Secure, EPMM, and Neurons product lines. CVE-2026-8043 has not been confirmed as exploited in the wild at time of writing, but Ivanti vulnerabilities have historically entered active exploitation within days of disclosure.
Action: Update Xtraction to version 2026.2 immediately. If patching cannot be completed within 24 hours, consider taking the Xtraction interface offline or restricting access to trusted networks only.
Fortinet — Dual Critical RCE Vulnerabilities
Fortinet patched two critical flaws across FortiAuthenticator and FortiSandbox, both enabling unauthenticated or unauthorized code execution.
FortiAuthenticator — CVE-2026-44277 (CVSS 9.1)
An improper access control flaw in FortiAuthenticator allows unauthenticated remote attackers to execute arbitrary code or commands.
| Detail | Value |
|---|---|
| CVE | CVE-2026-44277 |
| CVSS Score | 9.1 (Critical) |
| Type | Improper Access Control / Unauthenticated RCE |
| Fixed Versions | 6.5.7, 6.6.9, 8.0.3 |
FortiAuthenticator is widely deployed as a multi-factor authentication and certificate management solution in enterprise environments. Unauthenticated RCE on an MFA system could allow attackers to bypass authentication for all downstream services protected by FortiAuthenticator.
FortiSandbox — CVE-2026-26083 (CVSS 9.1)
A missing authorization flaw in the FortiSandbox web UI allows unauthorized attackers to execute arbitrary code via a crafted web request.
| Detail | Value |
|---|---|
| CVE | CVE-2026-26083 |
| CVSS Score | 9.1 (Critical) |
| Type | Missing Authorization / Web UI RCE |
| Affected | FortiSandbox (all variants), Cloud, PaaS |
| Fixed Versions | 4.4.9, 5.0.2 (on-premises); Cloud 5.0.6; PaaS 4.4.9/5.0.2 |
Action: Apply FortiAuthenticator and FortiSandbox patches on an emergency basis. FortiAuthenticator's role in authentication infrastructure makes this particularly urgent — exploitation could silently undermine MFA protections across the organization.
SAP — Dual Critical SQLi and Authentication Flaws
SAP shipped two critical patches for its S/4HANA enterprise platform, both rated CVSS 9.6.
CVE-2026-34260 — SQL Injection in S/4HANA
A SQL injection vulnerability in SAP S/4HANA allows authenticated users to execute arbitrary SQL queries, potentially exposing sensitive business data, financial records, and operational information stored in the SAP database.
CVE-2026-34263 — Missing Authentication for Code Execution
A missing authentication check in SAP S/4HANA allows unauthenticated attackers to execute arbitrary code by uploading a malicious configuration file. This is the more severe of the two flaws from an impact perspective.
| CVE | CVSS | Type |
|---|---|---|
| CVE-2026-34260 | 9.6 | SQL Injection — data exposure |
| CVE-2026-34263 | 9.6 | Missing Auth — unauthenticated RCE via config upload |
SAP S/4HANA underpins financial, logistics, and human resources operations for thousands of enterprises globally. Unauthenticated code execution against an SAP system can provide attackers with access to sensitive financial data, the ability to manipulate business processes, and a foothold in environments with high-value business intelligence.
Action: Apply SAP Security Notes for both CVEs immediately. SAP vulnerabilities are attractive to financially motivated threat actors; treat these as high-urgency patches.
VMware Fusion — CVE-2026-41702 (CVSS 7.8)
A TOCTOU (Time-of-Check to Time-of-Use) race condition in a SETUID binary in VMware Fusion enables local privilege escalation to root on macOS.
| Detail | Value |
|---|---|
| CVE | CVE-2026-41702 |
| CVSS Score | 7.8 (High) |
| Type | TOCTOU / Local Privilege Escalation |
| Impact | Local user → root |
| Fixed Version | VMware Fusion 26H1 |
While local privilege escalation requires pre-existing access to the machine, in enterprise environments where Fusion is used on developer or analyst workstations, this could be chained with initial access exploits to achieve full system compromise.
Action: Update VMware Fusion to version 26H1. This is lower urgency than the RCE vulnerabilities above, but should be included in the next patch cycle.
n8n — Five Critical RCE Vulnerabilities (All CVSS 9.4)
The automation platform n8n received patches for five separate critical vulnerabilities, all rated CVSS 9.4, covering prototype pollution and code injection flaws that enable remote code execution.
| CVE | Type |
|---|---|
| CVE-2026-42231 | Prototype Pollution / RCE |
| CVE-2026-42232 | Prototype Pollution / RCE |
| CVE-2026-44791 | Code Injection / RCE |
| CVE-2026-44789 | Code Injection / RCE |
| CVE-2026-44790 | Code Injection / RCE |
Fixed versions: 1.123.32+, 2.17.4+, 2.18.1+, 2.20.7+, 2.22.1+
n8n has been a recurring target in 2026. CISA added a prior critical n8n RCE flaw (CVE-2025-68613) to the Known Exploited Vulnerabilities catalog in March, citing active exploitation across thousands of exposed instances. Given this history, these five new vulnerabilities should be treated as high-probability near-term exploitation targets.
n8n instances are frequently exposed to the internet for webhook integrations, making them accessible to opportunistic scanners. Any n8n deployment should be on the latest patched version and, if possible, should not be directly internet-facing.
Action: Update n8n to the latest patched version matching your branch. If running an older version that does not have a patched release, assess whether temporary isolation is feasible while planning an upgrade.
Patch Priority Summary
| Priority | Vendor / CVE | Reason |
|---|---|---|
| Critical — Patch Now | Ivanti CVE-2026-8043 | CVSS 9.6, Ivanti has rapid exploitation history |
| Critical — Patch Now | Fortinet CVE-2026-44277 | CVSS 9.1, unauthenticated RCE on MFA infrastructure |
| Critical — Patch Now | SAP CVE-2026-34263 | CVSS 9.6, unauthenticated code execution |
| Critical — Patch Now | n8n CVE-2026-42231–44790 | CVSS 9.4 ×5, prior n8n CVE actively exploited |
| High — This Cycle | Fortinet CVE-2026-26083 | CVSS 9.1, FortiSandbox web UI RCE |
| High — This Cycle | SAP CVE-2026-34260 | CVSS 9.6, SQL injection in S/4HANA |
| Medium — Next Cycle | VMware CVE-2026-41702 | CVSS 7.8, local priv esc (requires existing access) |
References
- The Hacker News — Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
- CosmicBytez Labs — CISA Flags n8n RCE Bug as Actively Exploited
- CosmicBytez Labs — Fortinet Warns of Critical RCE Flaws in FortiSandbox and FortiAuthenticator
- Ivanti Security Advisory
- Fortinet PSIRT