Ivanti, Fortinet, SAP, VMware and n8n patch critical bugs

Ivanti, Fortinet, SAP, VMware and n8n published security updates to fix critical vulnerabilities that could allow remote code execution, SQL injection, information disclosure or local privilege escalation in their products.

Ivanti’s advisory notes the most serious flaw is in Ivanti Xtraction before version 2026.2 (CVE-2026-8043, CVSS 9.6). External control of a file name can allow an authenticated remote user to read sensitive files and write arbitrary HTML to a web directory, which can expose data and enable client-side attacks. Ivanti delivered a fix in the 2026.2 update and published remediation guidance.

Fortinet posted advisories for two critical, unauthenticated vulnerabilities. CVE-2026-44277 (CVSS 9.1) is an improper access control issue in FortiAuthenticator that may permit execution of unauthorized commands via crafted requests; fixes are available in FortiAuthenticator versions 6.5.7, 6.6.9 and 8.0.3. A separate missing authorization bug, CVE-2026-26083 (CVSS 9.1), affects the FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS web UI and can allow unauthenticated code execution through HTTP requests. Fortinet published patched builds for the affected FortiSandbox lines.

SAP released updates for two critical defects. CVE-2026-34260 (CVSS 9.6) is an SQL injection in SAP S/4HANA that allows a low-privileged, authenticated user to inject SQL via user-controlled input, potentially exposing sensitive database information and causing application crashes; Pathlock flagged the confidentiality and availability risks while noting the affected code path permits read operations only. CVE-2026-34263 (CVSS 9.6) stems from an overly permissive configuration in SAP Commerce Cloud that permits unauthenticated configuration upload and code injection, which can lead to arbitrary server-side code execution; Onapsis described improper rule ordering as the cause. SAP published patches that address both issues.

n8n patched five high-severity vulnerabilities that could be abused by authenticated users with workflow-modification rights. Two prototype pollution flaws, CVE-2026-42231 and CVE-2026-42232 (both CVSS 9.4), involve the xml2js library and the XML Node and can lead to remote code execution when combined with other nodes; fixes are in n8n versions 1.123.32, 2.17.4 and 2.18.1. Additional bypass and prototype pollution issues (CVE-2026-44791, CVE-2026-44789) and a CLI flag injection on the Git node (CVE-2026-44790) were remediated in later releases including 1.123.43, 2.20.7 and 2.22.1.

Broadcom provided a fix for a high-severity local privilege escalation in VMware Fusion (CVE-2026-41702, CVSS 7.8). The vulnerability is a time-of-check time-of-use error in a SETUID binary that a local non-administrative account could exploit to escalate privileges to root. The issue is resolved in VMware Fusion version 26H1.

Vendors published advisories with patched versions and configuration guidance. Organizations using the affected products have access to vendor instructions and should apply the updates and review exposed systems. Additional security updates from other vendors have been released in recent weeks, including fixes from Adobe, Apple, Cisco, Google, Microsoft, Intel, NVIDIA, Red Hat and Ubuntu.