A number of critical vulnerabilities impacting products from **Adobe**, **Fortinet**, **Microsoft**, and **SAP** have taken center stage in April's Patch Tuesday releases. ## SAP SQL Injection Vulnerability Topping the list is an SQL injection vulnerability impacting **SAP Business Planning and Consolidation** and **SAP Business Warehouse** (**CVE-2026-27681**, CVSS score: 9.9) that could result in the execution of arbitrary database commands. "The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed," **Onapsis** said in an advisory. In a potential attack scenario, a malicious actor could abuse the affected upload-related functionality to run malicious SQL against BW/BPC data stores, extract sensitive data, and delete or corrupt database content. **Pathlock** stated that manipulated planning figures, broken reports, or deleted consolidation data can undermine close processes, executive reporting, and operational planning. They further warned that the issue creates a credible path to both stealthy data theft and overt business disruption. ## Actively Exploited Adobe Acrobat Reader Flaw Another security vulnerability that deserves a mention is a critical-severity remote code execution in **Adobe Acrobat Reader** (**CVE-2026-34621**, CVSS score: 8.6) that has come under active exploitation in the wild. Currently, details surrounding the exploitation are scarce, including the scope of affected users, the identity of the threat actors, their targets, and their motives. ## Adobe ColdFusion Vulnerabilities Also patched by **Adobe** are five critical flaws in **ColdFusion** versions 2025 and 2023 that, if successfully exploited, could lead to arbitrary code execution, application denial-of-service, arbitrary file system read, and security feature bypass. The vulnerabilities are listed below: * **CVE-2026-34619** (CVSS score: 7.7) - A path traversal vulnerability leading to security feature bypass * **CVE-2026-27304** (CVSS score: 9.3) - An improper input validation vulnerability leading to arbitrary code execution * **CVE-2026-27305** (CVSS score: 8.6) - A path traversal vulnerability leading to arbitrary file system read * **CVE-2026-27282** (CVSS score: 7.5) - An improper input validation vulnerability leading to security feature bypass * **CVE-2026-27306** (CVSS score: 8.4) - An improper input validation vulnerability leading to arbitrary code execution ## Fortinet FortiSandbox Vulnerabilities Fixes have also been released for two critical **FortiSandbox** vulnerabilities that could result in authentication bypass and code execution: * **CVE-2026-39813** (CVSS score: 9.1) - A path traversal vulnerability in **FortiSandbox** JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. (Fixed in versions 4.4.9 and 5.0.6) * **CVE-2026-39808** (CVSS score: 9.1) - An operating system command injection vulnerability in **FortiSandbox** that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. (Fixed in version 4.4.9) ## Microsoft's Extensive Patch Release **Microsoft** addressed a staggering 169 security defects, including a spoofing vulnerability impacting **Microsoft SharePoint Server** (**CVE-2026-32201**, CVSS score: 6.5) that could allow an attacker to view sensitive information. The company said it's being actively exploited, although there are no insights into the in-the-wild exploitation associated with the bug. Kev Breen, senior director of threat research at **Immersive**, noted that **SharePoint** services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques. He added that threat actors with access to **SharePoint** services could deploy weaponized documents or replace legitimate documents with infected versions to spread laterally across the organization. ## Software Patches from Other Vendors In addition to **Microsoft**, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including — * [ABB](https://www.abb.com/global/en/company/about/cybersecurity/alerts-and-notifications) * [Amazon Web Services](https://aws.amazon.com/security/security-bulletins/) * [AMD](https://www.amd.com/en/resources/product-security.html#security) * [Apple](https://support.apple.com/en-us/HT201222) * [ASUS](https://www.asus.com/security-advisory/) * [AVEVA](https://www.aveva.com/en/support-and-success/cyber-security-updates/) * [Broadcom](https://support.broadcom.com/web/ecx/security-advisory) (including VMware) * [Canon](https://psirt.canon/advisory-information/#id_2229656) * [Cisco](https://tools.cisco.com/security/center/publicationListing.x) * [Citrix](https://support.citrix.com/support-home/topic-article-list?trendingCategory=20&trendingTopicName=Latest%20Security%20Bulletin) * [CODESYS](https://www.codesys.com/ecosystem/security/latest-codesys-security-advisories/) * [D-Link](https://supportannouncement.us.dlink.com/) * [Dassault Systèmes](https://www.3ds.com/trust-center/security/security-advisories) * [Dell](https://www.dell.com/support/security/) * [Devolutions](https://devolutions.net/security/advisories/) * [dormakaba](https://www.dormakabagroup.com/en/security-advisories) * [Drupal](https://www.drupal.org/security) * [Elastic](https://discuss.elastic.co/c/announcements/security-announcements/31) * [F5](https://my.f5.com/manage/s/new-updated-articles#f-f5_document_type=Security%20Advisory&aq=%40f5_original_published_date%20%3E%3D%20now-7d) * [Fortinet](https://www.fortiguard.com/psirt) * [Foxit Software](https://www.foxit.com/support/security-bulletins.html) * [FUJIFILM](https://www.fujifilm.com/fbglobal/eng/company/news/notice) * [Gigabyte](https://www.gigabyte.com/us/Support/Security) * [GitLab](https://docs.gitlab.com/releases/18/patch-release-gitlab-18-10-3-released/) * Google [Android](https://source.android.com/docs/security/bulletin/2026/2026-04-01) and [Pixel](https://source.android.com/docs/security/bulletin/pixel/2026/2026-04-01) * [Google Chrome](https://chromereleases.googleblog.com/) * [Google Cloud](https://cloud.google.com/support/bulletins) * [Grafana](https://grafana.com/security/security-advisories/) * [Hitachi Energy](https://www.hitachienergy.com/in/en/products-and-solutions/cybersecurity/alerts-and-notifications) * [HP](https://support.hp.com/us-en/security-bulletins) * [HP Enterprise](https://support.hpe.com/connect/s/securitybulletinlibrary?language=en_US#sort=%40hpescuniversaldate%20descending&layout=table&numberOfResults=25&f:@kmdoclanguagecode=[cv1871440]&hpe=1) (including Aruba Networking and [Juniper Networks](https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=[Security%20Advisories])) * [Huawei](https://www.huawei.com/en/psirt/all-bulletins) * [IBM](https://www.ibm.com/support/pages/bulletin/) * [Ivanti](https://hub.ivanti.com/s/searchallcontent?language=en_US#q=CVE&sortCriteria=date%20descending&f-sfkbknowledgearticletypec=Security%20Advisory&f-commonlanguage=English) * [Jenkins](https://www.jenkins.io/security/advisories/) * [Lenovo](https://support.lenovo.com/us/en/product_security/ps500001-lenovo-product-security-advisories) * Linux dist