April Patch Tuesday Fixes Critical Flaws Across SAP, Adobe, Microsoft, Fortinet, and More  Ravie Lakshmanan  Apr 15, 2026 Vulnerability / Data Breach A number of critical vulnerabilities impacting products from Adobe, Fortinet, Microsoft, and SAP have taken center stage in April's Patch Tuesday releases. Topping the list is an SQL injection vulnerability impacting SAP Business Planning and Consolidation and SAP Business Warehouse ( CVE-2026-27681 , CVSS score: 9.9) that could result in the execution of arbitrary database commands. "The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed," Onapsis said in an advisory. In a potential attack scenario, a bad actor could abuse the affected upload-related functionality to run malicious SQL against BW/BPC data stores, extract sensitive data, and delete or corrupt database content. "Manipulated planning figures, broken reports, or deleted consolidation data can undermine close processes, executive reporting, and operational planning," Pathlock said . "In the wrong hands, this issue also creates a credible path to both stealthy data theft and overt business disruption." Another security vulnerability that deserves a mention is a critical-severity remote code execution in Adobe Acrobat Reader ( CVE-2026-34621 , CVSS score: 8.6) that has come under active exploitation in the wild. That said, there are many unknowns at this stage. It is not clear how many people have been affected by the hacking campaign. Nor is there any information about who is behind the activity, who is being targeted, and what their motives could be. Also patched by Adobe are five critical flaws in ColdFusion versions 2025 and 2023 that, if successfully exploited, could lead to arbitrary code execution, application denial-of-service, arbitrary file system read, and security feature bypass. The vulnerabilities are listed below - CVE-2026-34619 (CVSS score: 7.7) - A path traversal vulnerability leading to security feature bypass CVE-2026-27304 (CVSS score: 9.3) - An improper input validation vulnerability leading to arbitrary code execution CVE-2026-27305 (CVSS score: 8.6) - A path traversal vulnerability leading to arbitrary file system read CVE-2026-27282 (CVSS score: 7.5) - An improper input validation vulnerability leading to security feature bypass CVE-2026-27306 (CVSS score: 8.4) - An improper input validation vulnerability leading to arbitrary code execution Fixes have also been released for two critical FortiSandbox vulnerabilities that could result in authentication bypass and code execution - CVE-2026-39813 (CVSS score: 9.1) - A path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. (Fixed in versions 4.4.9 and 5.0.6) CVE-2026-39808 (CVSS score: 9.1) - An operating system command injection vulnerability in FortiSandbox that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. (Fixed in version 4.4.9) The development comes as Microsoft addressed a staggering 169 security defects, including a spoofing vulnerability impacting Microsoft SharePoint Server (CVE-2026-32201, CVSS score: 6.5) that could allow an attacker to view sensitive information. The company said it's being actively exploited, although there are no insights into the in-the-wild exploitation associated with the bug. "SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made," Kev Breen, senior director of threat research at Immersive, said. "A secondary concern is that threat actors with access to SharePoint services could deploy weaponised documents or replace legitimate documents with infected versions that would allow them to spread to other hosts or victims moving laterally across the organization." Software Patches from Other Vendors In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including — ABB Amazon Web Services AMD Apple ASUS AVEVA Broadcom (including VMware) Canon Cisco Citrix CODESYS D-Link Dassault Systèmes Dell Devolutions dormakaba Drupal Elastic F5 Fortinet Foxit Software FUJIFILM Gigabyte GitLab Google Android and Pixel Google Chrome Google Cloud Grafana Hitachi Energy HP HP Enterprise (including Aruba Networking and Juniper Networks ) Huawei IBM Ivanti Jenkins Lenovo Linux distributions AlmaLinux , Alpine Linux , Amazon Linux , Arch Linux , Debian , Gentoo , Oracle Linux , Mageia , Red Hat , Rocky Linux , SUSE , and Ubuntu MediaTek Mitel Mitsubishi Electric MongoDB Moxa Mozilla Firefox, Firefox ESR, and Thunderbird NETGEAR Node.js NVIDIA ownCloud Palo Alto Networks Phoenix Contact Progress Software QNAP Qualcomm Rockwell Automation Ruckus Wireless Samsung Schneider Electric Siemens SonicWall Splunk Spring Framework Supermicro Synology TP-Link WatchGuard , and Xiaomi Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  Adobe , cybersecurity , data breach , Fortinet , Microsoft , patch Tuesday , remote code execution , SAP , sql injection , Vulnerability Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks