Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws

Staff Editor 2026-05-18
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws

Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws

https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html

Publish Date: 2026-05-18 06:54:00

Source Domain: thehackernews.com

Ravie LakshmananMay 18, 2026Vulnerability / Software Security

Ivanti, Fortinet, n8n, SAP, and VMware have released security fixes for various vulnerabilities that could be exploited by bad actors to bypass authentication and execute arbitrary code.

Topping the list is a critical flaw impacting Ivanti Xtraction (CVE-2026-8043, CVSS score: 9.6) that could be exploited to achieve information disclosure or client-side attacks.

“External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks,” Ivanti said in an advisory.

Fortinet published advisories for two critical shortcomings affecting FortiAuthenticator and FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS that could result in code execution –

  • CVE-2026-44277 (CVSS score: 9.1) – An improper access control vulnerability in FortiAuthenticator that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. (Fixed in FortiAuthenticator versions 6.5.7, 6.6.9, and 8.0.3)
  • CVE-2026-26083 (CVSS score: 9.1) – A missing authorization vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests. (Fixed in FortiSandbox versions 4.4.9 and 5.0.2, FortiSandbox Cloud version 5.0.6, and FortiSandbox PaaS versions 4.4.9. and 5.0.2)

SAP also shipped fixes for two critical vulnerabilities –

  • CVE-2026-34260 (CVSS score: 9.6) – An SQL injection vulnerability in SAP S/4HANA
  • CVE-2026-34263 (CVSS score: 9.6) – A missing authentication check in the SAP Commerce cloud configuration

“The vulnerability is caused by an overly permissive security configuration with improper rule ordering, allowing an unauthenticated user to perform malicious configuration upload and code…

Source

More Stories

Diaspo #444: From supercomputers to cybersecurity, Asmae Mhassni’s unconventional path

Diaspo #444: From supercomputers to cybersecurity, Asmae Mhassni’s unconventional path

Staff Editor 2026-06-06
Opal Security Raises Million for AI-Native Identity Governance

Opal Security Raises $23 Million for AI-Native Identity Governance

Staff Editor 2026-06-06
Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy