Skip to main content
CybersecurityVulnerability Management

Major Vendors Patch Critical Flaws Amid Cyber Threat Surge

Technician's workbench with laptop and blurred screen in foreground, rows of equipment racks and monitors in background.

"External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks," Ivanti said.

Ivanti Xtraction — CVE-2026-8043 (CVSS 9.6)

Ivanti disclosed a critical flaw in Xtraction, tracked as CVE-2026-8043 and rated CVSS 9.6. According to the vendor advisory, the issue stems from external control of a file name and affects versions before 2026.2. A remote authenticated attacker could read sensitive files and write arbitrary HTML into a web directory, producing information disclosure and the potential for client-side attacks. Ivanti published fixes in the advisory; organisations running Xtraction should move to the patched release referenced by the vendor.

Fortinet FortiAuthenticator and FortiSandbox — CVE-2026-44277, CVE-2026-26083 (both CVSS 9.1)

Fortinet published advisories for two critical, high-impact flaws that could lead to code execution. CVE-2026-44277 is an improper access control vulnerability in FortiAuthenticator that “may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.” Fortinet fixed the issue in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3.

CVE-2026-26083 is a missing authorization vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that likewise “may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.” Fortinet lists fixes in FortiSandbox versions 4.4.9 and 5.0.2, FortiSandbox Cloud version 5.0.6, and FortiSandbox PaaS versions 4.4.9 and 5.0.2.

SAP S/4HANA and Commerce Cloud — CVE-2026-34260, CVE-2026-34263 (both CVSS 9.6)

SAP released fixes for two critical issues. CVE-2026-34260 is an SQL injection in SAP S/4HANA; Pathlock said, “It allows a low-privileged, authenticated attacker to inject malicious SQL code via user-controlled input, potentially exposing sensitive database information and crashing the application.” The vendor notes that the affected code only allows read access to data and therefore “the vulnerability does not compromise the integrity of the application,” even as confidentiality and availability may be impacted.

CVE-2026-34263 affects SAP Commerce cloud configuration and is described by Onapsis as originating in “an overly permissive security configuration with improper rule ordering, allowing an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution.” SAP has shipped updates to address both problems.

n8n workflow automation — five critical CVEs (CVE-2026-42231, CVE-2026-42232, CVE-2026-44791, CVE-2026-44789, CVE-2026-44790) (CVSS 9.4)

n8n patched a cluster of critical vulnerabilities in its workflow automation platform, all rated CVSS 9.4. The xml2js parsing issue (CVE-2026-42231) allows prototype pollution via a crafted XML payload in the webhook handler and can enable an authenticated user with permission to create or modify workflows to achieve remote code execution; it was fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1.

CVE-2026-42232 permits global prototype pollution via the XML Node and likewise leads to remote code execution when combined with other nodes; it was fixed in the same 1.123.32/2.17.4/2.18.1 releases. A bypass to that fix is tracked as CVE-2026-44791 and was addressed in later builds (1.123.43, 2.20.7, and 2.22.1). CVE-2026-44789 is prototype pollution through an unvalidated pagination parameter in the HTTP Request node and CVE-2026-44790 lets an authenticated workflow-authoring user inject CLI flags on the Git node's Push operation, enabling arbitrary file reads and “full compromise” of the n8n server; both were fixed in 1.123.43, 2.20.7, and 2.22.1.

VMware Fusion — CVE-2026-41702 (CVSS 7.8)

Broadcom patched a high-severity privilege-escalation flaw in VMware Fusion tracked as CVE-2026-41702 and scored CVSS 7.8. The vendor described a TOCTOU (time-of-check time-of-use) vulnerability occurring during an operation performed by a SETUID binary. Broadcom said a local non-administrative user “may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed.” The issue is addressed in VMware Fusion version 26H1.

What this means for technologists, enterprises, and developers

  • Technologists and security teams: apply the vendor-supplied patches immediately — Ivanti Xtraction to 2026.2 or later, FortiAuthenticator to 6.5.7/6.6.9/8.0.3, FortiSandbox/FortiSandbox Cloud/FortiSandbox PaaS to the patched releases listed by Fortinet, SAP S/4HANA and Commerce Cloud to the provided fixes, n8n to 1.123.32/1.123.43 or the corresponding 2.x releases, and VMware Fusion to 26H1.
  • Enterprises and procurement leaders: prioritise assets exposed to unauthenticated or web-facing interfaces — Fortinet’s and SAP’s advisories both describe scenarios where unauthenticated HTTP or misordered rules enable remote code execution or configuration upload.
  • Developers and maintainers of automation platforms: note the cluster of prototype-pollution and XML-parsing issues in n8n that enable workflow-level actors to escalate to host compromise; applying the fixed n8n releases is the immediate remedy.

Beyond these named products, vendors across the technology stack also shipped updates in recent weeks: ABB; Adobe; Amazon Web Services; AMD; Apple; ASUS; Atlassian; Axis Communications; AVEVA; Canon; Cisco; CODESYS; ConnectWise; Dell; Devolutions; Drupal; F5; Fortra; Foxit Software; Fujitsu; GitLab; GnuTLS; Google Android and Pixel; Google Chrome; Google Cloud; Grafana; Hikvision; Hitachi Energy; Honeywell; HP; HP Enterprise (including Aruba Networking and Juniper Networks); Huawei; IBM; Intel; Jenkins; Lenovo; Linux distributions including AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu; MediaTek; Meta WhatsApp; Microsoft; Mitel; Mitsubishi Electric; MongoDB; Moxa; Mozilla Firefox, Firefox ESR, and Thunderbird; NVIDIA; OPPO; Palo Alto Networks; Phoenix Contact; Phoenix Technologies; Progress Software; QNAP; Qualcomm; React; Ricoh; Samsung; Schneider Electric; Siemens; Sophos; Spring Framework; Supermicro; Synology; Tenable; TP-Link; WatchGuard; Zoom; and Zyxel.

The concrete steps are simple and non-negotiable in this record: install the specific patched versions vendors have published. The alternative — leaving systems running vulnerable, unauthenticated web UIs, or workflow tooling that can be abused from within — is clear in the advisories themselves.

Original story