Wave of Critical CVEs Hits Core Enterprise Platforms
Enterprise software security teams are facing a dense cluster of critical CVEs spanning Ivanti, Fortinet, SAP, VMware and n8n, with multiple flaws carrying CVSS scores of 9.4 and 9.6. Collectively, these issues range from remote code execution (RCE) vulnerability patch requirements to SQL injection, authentication bypass and local privilege escalation fixes. Because all affected products are widely deployed in production—covering IT service management, network authentication, security sandboxes, ERP, virtualization and workflow automation—the potential blast radius is significant. Many of the flaws are exploitable by unauthenticated attackers or low-privileged users, lowering the barrier to compromise. At the same time, the simultaneous release of patches across vendors compresses remediation timelines and complicates change windows. Organizations must prioritize these critical CVSS flaws in their vulnerability management queues, aligning patch deployment with rigorous testing to avoid downtime while rapidly reducing exposed attack surface.
Ivanti and Fortinet: Authentication Weaknesses Leading to RCE
Among the most severe issues is CVE-2026-8043 in Ivanti Xtraction, rated 9.6. It stems from external control of file names, allowing a remote authenticated attacker to read sensitive files and write arbitrary HTML into web directories. This can drive information disclosure and client-side attacks, making it an urgent RCE-adjacent vulnerability patch for any environment using Ivanti Xtraction before version 2026.2. Fortinet has published two critical advisories, both scoring 9.1. CVE-2026-44277 affects FortiAuthenticator, where improper access control may let unauthenticated attackers execute unauthorized code via crafted requests. CVE-2026-26083 impacts FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS, with missing authorization in the web UI enabling RCE through HTTP requests. Because FortiAuthenticator and FortiSandbox often sit in security-sensitive network paths, failure to apply these privilege escalation fixes and RCE patches could undermine broader security architectures.
SAP and VMware: Business-Critical and Local Privilege Escalation Risks
SAP has delivered two critical corrections that directly affect business-critical systems. CVE-2026-34260, a 9.6-rated SQL injection flaw in SAP S/4HANA, allows low-privileged authenticated users to inject malicious SQL, exposing sensitive data and potentially crashing the application. While integrity is less affected due to read-only access, confidentiality and availability remain at risk, making this a priority SQL injection fix. CVE-2026-34263, also rated 9.6, arises from overly permissive security configuration and improper rule ordering in SAP Commerce Cloud. An unauthenticated attacker could upload malicious configuration, inject code and achieve arbitrary server-side code execution. Separately, Broadcom’s VMware Fusion update addresses CVE-2026-41702, a 7.8 TOCTOU flaw in a SETUID binary. Local non-admin users can exploit it to escalate privileges to root, turning a compromised workstation into a powerful foothold. Applying these patches quickly is essential to protect ERP, e-commerce and developer or admin desktops.
n8n Workflow Platform: Prototype Pollution and Full Host Compromise
Automation platform n8n has shipped patches for five critical vulnerabilities, each scoring 9.4 and centering on prototype pollution and RCE. CVE-2026-42231 targets the xml2js library used in webhook handlers; crafted XML lets authenticated workflow creators achieve prototype pollution and ultimately remote code execution on the n8n host. CVE-2026-42232 enables similar global prototype pollution via the XML node, while CVE-2026-44791 is a bypass of that earlier fix. CVE-2026-44789 abuses an unvalidated pagination parameter in the HTTP Request node, again enabling RCE via prototype pollution. Finally, CVE-2026-44790 lets attackers inject CLI flags in the Git node’s Push operation to read arbitrary files and fully compromise the server. Because n8n often orchestrates access to numerous APIs and data stores, these flaws can cascade across integrated systems, making prompt deployment of the latest versions a critical RCE vulnerability patch effort.
Coordinating Multi-Vendor Patching Without Losing Visibility
With numerous vendors releasing updates simultaneously—Ivanti, Fortinet, SAP, VMware, n8n and many others across application, cloud, device and OS ecosystems—IT and security teams must refine their vulnerability management workflows. Treat these eleven issues as top-tier: they combine critical CVSS flaws, RCE potential, SQL injection, authentication bypass and privilege escalation. Prioritization should consider exploitability (unauthenticated vs. authenticated), exposure (internet-facing vs. internal) and business criticality (ERP, identity, security controls). Centralizing advisories, normalizing CVE data and mapping them to asset inventories helps ensure nothing is missed. Where immediate patching is constrained by change-control windows, compensating controls—such as additional access restrictions, WAF rules or enhanced monitoring—should be deployed. Ultimately, the clustering of RCE and privilege escalation fixes across core enterprise platforms underscores the need for mature, repeatable patch orchestration processes capable of handling bursts of simultaneous, high-severity releases.