Ivanti, Fortinet, SAP, VMware, n8n Release Patches for Critical RCE, SQL Injection, Privilege Escalation Flaws
Ivanti, Fortinet, SAP, VMware, and n8n have released security updates addressing multiple critical vulnerabilities, including remote code execution, SQL injection, and privilege escalation flaws.
Ivanti, Fortinet, SAP, VMware, and n8n have released security fixes for a range of critical vulnerabilities that could allow attackers to execute arbitrary code, bypass authentication, or escalate privileges. The patches address flaws in products widely used across enterprise and cloud environments.
Topping the list is a critical flaw in Ivanti Xtraction (CVE-2026-8043, CVSS 9.6) that could enable information disclosure or client-side attacks. According to Ivanti's advisory, "External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory." The vulnerability affects Ivanti Xtraction versions prior to 2026.2.
Fortinet published advisories for two critical vulnerabilities. CVE-2026-44277 (CVSS 9.1) is an improper access control flaw in FortiAuthenticator that could allow an unauthenticated attacker to execute unauthorized code via crafted requests. CVE-2026-26083 (CVSS 9.1) is a missing authorization vulnerability in FortiSandbox's web UI that could similarly lead to code execution. Fortinet has released fixes for both products.
SAP shipped patches for two critical vulnerabilities. CVE-2026-34260 (CVSS 9.6) is an SQL injection flaw in SAP S/4HANA that could allow an authenticated attacker to inject malicious SQL code, potentially exposing sensitive data and crashing the application. CVE-2026-34263 (CVSS 9.6) is a missing authentication check in SAP Commerce cloud configuration that could allow an unauthenticated attacker to perform malicious configuration upload and code injection, leading to arbitrary server-side code execution.
Broadcom released a fix for a high-severity vulnerability in VMware Fusion (CVE-2026-41702, CVSS 7.8) that could allow local privilege escalation. The issue, a TOCTOU vulnerability in a SETUID binary, could enable a malicious actor with local non-administrative privileges to escalate to root on systems where Fusion is installed. The fix is included in VMware Fusion version 26H1.
n8n addressed five critical vulnerabilities (CVE-2026-42231, CVE-2026-42232, CVE-2026-44791, CVE-2026-44789, CVE-2026-44790), all with CVSS scores of 9.4. These flaws allow authenticated users with permission to create or modify workflows to achieve remote code execution through prototype pollution, XML parsing, or CLI flag injection. The fixes are available in n8n versions 1.123.32, 2.17.4, 2.18.1, and later updates.
Organizations using any of these products are urged to apply the latest patches immediately. The vulnerabilities pose significant risks, especially in environments where these tools are exposed to untrusted networks or used by multiple users. Security teams should prioritize patching based on the CVSS scores and the potential for exploitation.