A number of critical vulnerabilities impacting products from Adobe, Fortinet, Microsoft, and SAP have taken center stage in April's Patch Tuesday releases.

Topping the list is an SQL injection vulnerability impacting SAP Business Planning and Consolidation and SAP Business Warehouse (CVE-2026-27681, CVSS score: 9.9) that could result in the execution of arbitrary database commands.

"The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed," Onapsis said in an advisory.

In a potential attack scenario, a bad actor could abuse the affected upload-related functionality to run malicious SQL against BW/BPC data stores, extract sensitive data, and delete or corrupt database content.

"Manipulated planning figures, broken reports, or deleted consolidation data can undermine close processes, executive reporting, and operational planning," Pathlock said. "In the wrong hands, this issue also creates a credible path to both stealthy data theft and overt business disruption."

Another security vulnerability that deserves a mention is a critical-severity remote code execution in Adobe Acrobat Reader (CVE-2026-34621, CVSS score: 8.6) that has come under active exploitation in the wild.

That said, there are many unknowns at this stage. It is not clear how many people have been affected by the hacking campaign. Nor is there any information about who is behind the activity, who is being targeted, and what their motives could be.

Also patched by Adobe are five critical flaws in ColdFusion versions 2025 and 2023 that, if successfully exploited, could lead to arbitrary code execution, application denial-of-service, arbitrary file system read, and security feature bypass.

The vulnerabilities are listed below -

CVE-2026-34619 (CVSS score: 7.7) - A path traversal vulnerability leading to security feature bypass

CVE-2026-27304 (CVSS score: 9.3) - An improper input validation vulnerability leading to arbitrary code execution

CVE-2026-27305 (CVSS score: 8.6) - A path traversal vulnerability leading to arbitrary file system read

CVE-2026-27282 (CVSS score: 7.5) - An improper input validation vulnerability leading to security feature bypass

CVE-2026-27306 (CVSS score: 8.4) - An improper input validation vulnerability leading to arbitrary code execution

Fixes have also been released for two critical FortiSandbox vulnerabilities that could result in authentication bypass and code execution -

CVE-2026-39813 (CVSS score: 9.1) - A path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. (Fixed in versions 4.4.9 and 5.0.6)

CVE-2026-39808 (CVSS score: 9.1) - An operating system command injection vulnerability in FortiSandbox that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. (Fixed in version 4.4.9)

The development comes as Microsoft addressed a staggering 169 security defects, including a spoofing vulnerability impacting Microsoft SharePoint Server (CVE-2026-32201, CVSS score: 6.5) that could allow an attacker to view sensitive information. The company said it's being actively exploited, although there are no insights into the in-the-wild exploitation associated with the bug.

"SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made," Kev Breen, senior director of threat research at Immersive, said.

"A secondary concern is that threat actors with access to SharePoint services could deploy weaponised documents or replace legitimate documents with infected versions that would allow them to spread to other hosts or victims moving laterally across the organization."

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —

ABB

Amazon Web Services

AMD

Apple

ASUS

AVEVA

Broadcom (including VMware)

Canon

Cisco

Citrix

CODESYS

D-Link

Dassault Systèmes

Dell

Devolutions

dormakaba

Drupal

Elastic

F5

Fortinet

Foxit Software

FUJIFILM

Gigabyte

GitLab

Google Android and Pixel

Google Chrome

Google Cloud

Grafana

Hitachi Energy

HP

HP Enterprise (including Aruba Networking and Juniper Networks)

Huawei

IBM

Ivanti

Jenkins

Lenovo

Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu

MediaTek

Mitel

Mitsubishi Electric

MongoDB

Moxa

Mozilla Firefox, Firefox ESR, and Thunderbird

NETGEAR

Node.js

NVIDIA

ownCloud

Palo Alto Networks

Phoenix Contact

Progress Software

QNAP

Qualcomm

Rockwell Automation

Ruckus Wireless

Samsung

Schneider Electric

Siemens

SonicWall

Splunk

Spring Framework

Supermicro

Synology

TP-Link

WatchGuard, and

Xiaomi