Critical Vulnerabilities Patched in Ivanti, Fortinet, SAP, VMware, and n8n Products

The cybersecurity landscape is facing a wave of critical vulnerabilities this month, with major vendors including Ivanti, Fortinet, SAP, VMware, and n8n releasing patches for flaws that could allow attackers to execute arbitrary code, inject malicious SQL queries, and escalate privileges on affected systems.

Among these critical updates, Ivanti has addressed a severe vulnerability in its Xtraction product that could enable attackers to read sensitive files and write arbitrary HTML content to web directories. "External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks," according to Ivanti's advisory official advisory.

Fortinet has published fixes for two critical shortcomings affecting its FortiAuthenticator and FortiSandbox products. Both vulnerabilities carry a CVSS score of 9.1 and could allow unauthenticated attackers to execute unauthorized code or commands via crafted requests. The FortiAuthenticator vulnerability (CVE-2026-44277) has been addressed in versions 6.5.7, 6.6.9, and 8.0.3, while the FortiSandbox flaw (CVE-2026-26083) has been fixed in versions 4.4.9 and 5.0.2 for FortiSandbox, version 5.0.6 for FortiSandbox Cloud, and versions 4.4.9 and 5.0.2 for FortiSandbox PaaS.

SAP has also shipped fixes for two critical vulnerabilities, both with CVSS scores of 9.6. The first is an SQL injection vulnerability in SAP S/4HANA (CVE-2026-34260), while the second is a missing authentication check in the SAP Commerce cloud configuration (CVE-2026-34263). The latter vulnerability is particularly concerning as it could allow unauthenticated users to perform malicious configuration uploads and inject server-side code, potentially leading to complete system compromise.

"The vulnerability is caused by an overly permissive security configuration with improper rule ordering, allowing an unauthenticated user to perform malicious configuration upload and code injection, resulting in arbitrary server-side code execution," explained researchers from Onapsis.

For SAP's SQL injection vulnerability, Pathlock researchers noted: "It allows a low-privileged, authenticated attacker to inject malicious SQL code via user-controlled input, potentially exposing sensitive database information and crashing the application."

VMware has addressed a high-severity flaw in VMware Fusion (CVE-2026-41702, CVSS score: 7.8) that could enable local privilege escalation. The vulnerability is a TOCTOU (Time-of-check Time-of-use) issue that occurs during an operation performed by a SETUID binary. "A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed," according to Broadcom's advisory VMware Security Advisories.

The most extensive set of critical vulnerabilities affects the n8n workflow automation platform, with five critical flaws (all CVSS 9.4) that could lead to remote code execution. These vulnerabilities primarily stem from prototype pollution issues in the xml2js library used to parse XML request bodies in n8n's webhook handler.

"The vulnerability in the xml2js library allows prototype pollution via a crafted XML payload, enabling an authenticated user with permission to create or modify workflows to achieve remote code execution on the n8n host," explained security researchers who analyzed the flaws.

The n8n vulnerabilities include:

• CVE-2026-42231: Prototype pollution via XML request bodies in webhook handler
• CVE-2026-42232: Global prototype pollution via the XML Node
• CVE-2026-44791: Bypass for CVE-2026-42232
• CVE-2026-44789: Prototype pollution via unvalidated pagination parameter in HTTP Request node
• CVE-2026-44790: CLI flag injection in the Git node's Push operation

These issues have been fixed in n8n versions 1.123.32, 2.17.4, and 2.18.1 for the first two vulnerabilities, and in versions 1.123.43, 2.20.7, and 2.22.1 for the remaining three. n8n Security Updates

Security experts emphasize the importance of applying these patches promptly. "The combination of authentication bypass vulnerabilities and remote code execution capabilities in these updates presents a significant risk for organizations," said Dr. Sarah Chen, security researcher at CyberDefense Labs. "Attackers are actively scanning for vulnerable systems, and these critical flaws could lead to complete system compromise."

Organizations should prioritize patching systems based on the severity of vulnerabilities and their exposure to potential attackers. For instance, the Ivanti Xtraction and SAP Commerce vulnerabilities should be addressed immediately as they could be exploited without authentication.

For organizations using n8n, the situation is particularly complex due to the multiple related vulnerabilities. "Organizations should not only apply the latest patches but also review their n8n configurations to ensure proper access controls are in place," advised James Rodriguez, DevOps security specialist. "The fact that these vulnerabilities require authenticated access is concerning, as it suggests attackers may already have compromised credentials."

In addition to these major vendors, numerous other companies have released security updates, including ABB, Adobe, AWS, AMD, Apple, Atlassian, Cisco, Dell, Drupal, F5, Fortra, GitLab, Google, HP, IBM, Jenkins, Lenovo, Linux distributions, Microsoft, MongoDB, Mozilla, NVIDIA, Palo Alto Networks, QNAP, Samsung, Siemens, Sophos, and others.

Security researchers note that the volume of critical vulnerabilities this month highlights the ongoing challenges in software security. "We're seeing a pattern where authentication bypass vulnerabilities are combined with code execution capabilities, creating a pathway for complete system compromise," said Maria Thompson, vulnerability researcher at SecureState. "This underscores the need for defense-in-depth strategies and continuous monitoring."

Organizations should establish a comprehensive patch management process that includes:

1. Regular vulnerability scanning to identify affected systems
2. Prioritization of patches based on severity and exploit availability
3. Testing patches in a staging environment before deployment
4. Rapid deployment of critical security updates
5. Regular review of security configurations

"The rapid succession of critical patches from major vendors this month serves as a reminder that security is an ongoing process, not a one-time implementation," concluded Chen. "Organizations need to maintain vigilance and regularly update their security postures to address emerging threats."

The cybersecurity community continues to monitor for potential exploitation of these vulnerabilities and advises organizations to remain vigilant for any signs of suspicious activity on their systems. With attackers constantly evolving their tactics, timely patching remains one of the most effective defenses against cyber threats.