April Patch Tuesday: Critical Vulnerabilities Addressed in SAP, Adobe, Microsoft, and Fortinet Products
The April 2026 Patch Tuesday has brought to light several critical vulnerabilities across major software platforms, including SAP, Adobe, Microsoft, and Fortinet. These security flaws, if exploited, could lead to severe consequences such as unauthorized data access, system compromise, and operational disruptions.
SAP Vulnerability:
A significant SQL injection vulnerability has been identified in SAP’s Business Planning and Consolidation (BPC) and Business Warehouse (BW) applications. Designated as CVE-2026-27681 with a CVSS score of 9.9, this flaw allows low-privileged users to upload files containing arbitrary SQL statements, which are then executed by the system. This could enable attackers to manipulate planning figures, corrupt reports, or delete consolidation data, thereby undermining critical business processes. In the wrong hands, this issue also creates a credible path to both stealthy data theft and overt business disruption.
Adobe Vulnerabilities:
Adobe has addressed multiple critical vulnerabilities in its products:
– Adobe Acrobat Reader: A remote code execution vulnerability (CVE-2026-34621, CVSS score: 8.6) has been actively exploited in the wild. The specifics of the exploitation, including the number of affected users and the identity of the attackers, remain unclear.
– Adobe ColdFusion: Five critical flaws have been patched in versions 2025 and 2023, which could lead to arbitrary code execution, application denial-of-service, arbitrary file system read, and security feature bypass. The vulnerabilities include:
– CVE-2026-34619 (CVSS score: 7.7): Path traversal leading to security feature bypass.
– CVE-2026-27304 (CVSS score: 9.3): Improper input validation leading to arbitrary code execution.
– CVE-2026-27305 (CVSS score: 8.6): Path traversal leading to arbitrary file system read.
– CVE-2026-27282 (CVSS score: 7.5): Improper input validation leading to security feature bypass.
– CVE-2026-27306 (CVSS score: 8.4): Improper input validation leading to arbitrary code execution.
Fortinet Vulnerabilities:
Fortinet has released patches for two critical vulnerabilities in its FortiSandbox product:
– CVE-2026-39813 (CVSS score: 9.1): A path traversal vulnerability in the JRPC API that could allow unauthenticated attackers to bypass authentication via specially crafted HTTP requests. This issue has been fixed in versions 4.4.9 and 5.0.6.
– CVE-2026-39808 (CVSS score: 9.1): An operating system command injection vulnerability that could enable unauthenticated attackers to execute unauthorized code or commands through crafted HTTP requests. This flaw has been addressed in version 4.4.9.
Microsoft Vulnerabilities:
Microsoft’s April update addresses 169 security defects, including a spoofing vulnerability in Microsoft SharePoint Server (CVE-2026-32201, CVSS score: 6.5). This flaw could allow attackers to view sensitive information. The company has acknowledged active exploitation of this vulnerability but has not provided specific details about the attacks.
SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made.
Conclusion:
The vulnerabilities addressed in this month’s Patch Tuesday highlight the critical importance of timely software updates. Organizations are urged to apply these patches promptly to mitigate potential risks associated with these security flaws.
