Critical CVE Wave Affects SAP, Fortinet, Ivanti and VMware Amidst the S/4HANA Rush
SAP S/4HANA receives a fix for SQL injection with CVSS 9.6 in the same month that over half of global customers complete their migration to the version. FortiAuthenticator and FortiSandbox are updated against access control vulnerabilities, and n8n accumulates five CVEs with 9.4.
The week opened with a synchronised sequence of critical vulnerability disclosures from enterprise vendors. SAP, Fortinet, Ivanti, VMware, and n8n released fixes for high-severity flaws between Monday and Tuesday, in a volume and distribution that necessitate coordinated action from infrastructure and security teams in the coming days. None of the CVEs were reported as being actively exploited at the time of this publication, but the window between disclosure and exploitation has been narrowing to hours in recent analogous cases.
The most consequential alert comes from SAP, and the synchronisation with the company's migration calendar is what makes this case special. The fix for CVE-2026-34260, a SQL injection vulnerability in S/4HANA with a CVSS score of 9.6, arrives at exactly the moment when over half of SAP’s global customers have completed or are completing the migration from the legacy platform to the current version, according to tracking from SAPinsider. The regulatory pressure from SAP itself, which maintains the original deadline for ECC support to end in 2027 with paid extensions until 2033 via RISE with SAP, has created a window for mass migration, and this window coincides with the disclosure. The flaw allows the exposure of sensitive database information from attacker-controlled input in read-only mode, but sufficient to leak configuration of critical tables in environments where the migration has yet to stabilise access segregation policies. SAP's second critical fix, CVE-2026-34263, targets SAP Commerce Cloud Configuration with a score of 9.6 and paves the way for arbitrary code execution on the server via permissive security configuration with improper rule ordering. For customers mid-migration, the recommendation is to treat this as a change window priority within the week.
Fortinet and Ivanti on Access Control
Fortinet disclosed two CVEs with a score of 9.1. CVE-2026-44277 affects FortiAuthenticator and allows an unauthenticated attacker to execute unauthorised code via crafted requests. The fixed versions are 6.5.7, 6.6.9, and 8.0.3. Meanwhile, CVE-2026-26083 impacts FortiSandbox across all variants, including Cloud and PaaS, stemming from the same root: the lack of authorisation verification in the Web UI that permits code execution without authentication. The fixed versions are 4.4.9 and 5.0.2 for on-prem FortiSandbox, 5.0.6 for Cloud, and 4.4.9 or 5.0.2 for PaaS.
Ivanti released a patch for CVE-2026-8043 in Xtraction prior to version 2026.2, rated CVSS 9.6. The bug allows a remote authenticated attacker to read sensitive files and write arbitrary HTML in the web directory, opening pathways for information disclosure and client-side attacks. VMware fixed CVE-2026-41702 in Fusion (CVSS 7.8), a TOCTOU vulnerability in the SETUID binary that escalates privileges to root locally. The fix is included in version 26H1, and the impact is limited to hosts where Fusion operates, which reduces exposure in corporately standardised fleets on server hypervisors.
n8n Accumulates Flaws in Prototype Pollution
The most substantial case by volume concerns n8n, an automation platform widely adopted by data engineering and operations teams. Five CVEs with a CVSS score of 9.4 were published in the same cycle. CVE-2026-42231 and CVE-2026-42232 involve prototype pollution via XML, with remote code execution viable for authenticated users who have workflow permission. The fixed versions are 1.123.32, 2.17.4, and 2.18.1. CVE-2026-44791 documents a bypass for the fix of CVE-2026-42232, necessitating an additional upgrade to 1.123.43, 2.20.7, or 2.22.1, indicating an incomplete patch in the first round.
CVE-2026-44789 affects the HTTP Request node via an unvalidated pagination parameter. CVE-2026-44790 is potentially the most severe in the series: a CLI flag injection in the Git node's Push operation allows arbitrary file reading on the n8n server, sufficient for complete compromise. Teams running n8n in production should apply the complete sequence of versions 1.123.43, 2.20.7, and 2.22.1 without gaps between rounds, given that only the final fix closes the set.
This week’s pattern puts particular pressure on hybrid environments. Updates for SAP, FortiAuthenticator, and Xtraction typically fall into distinct change management windows, and the overlap of priorities will require CISOs to reorganise their remediation backlog to treat all three as a single category. The specific risk of 2026 is that ongoing migrations of S/4HANA often operate in dual-stack mode for weeks, with legacy and new systems coexisting. Environments in this phase are particularly exposed: the team in charge is focused on business process compatibility, not on retroactive patches in the system that has just gone live.