April’s Patch Tuesday delivered critical fixes across Adobe, Fortinet, Microsoft, SAP and many other vendors, led by an SQL injection in SAP Business Planning and Consolidation/SAP Business Warehouse (CVE-2026-27681, CVSS 9.9) that can execute arbitrary database commands. Adobe Acrobat Reader (CVE-2026-34621) is facing active in-the-wild RCE exploitation while FortiSandbox and Microsoft SharePoint Server also received fixes for high-severity flaws. #SAPBusinessWarehouse #AdobeAcrobatReader
Keypoints
- SAP BPC/BW SQL injection (CVE-2026-27681, CVSS 9.9) allows low-privileged users to upload files containing arbitrary SQL that can be executed against data stores.
- Adobe Acrobat Reader RCE (CVE-2026-34621, CVSS 8.6) is confirmed to be actively exploited in the wild.
- Two critical FortiSandbox flaws (CVE-2026-39813 and CVE-2026-39808, CVSS 9.1) enable unauthenticated authentication bypass and OS command injection via crafted HTTP requests.
- Microsoft patched 169 vulnerabilities, including an actively exploited SharePoint Server spoofing bug (CVE-2026-32201) that could expose sensitive information.
- Adobe ColdFusion and numerous other vendors and OS distributions also received important fixes—organizations should prioritize applying updates to prevent data theft and operational disruption.
Read More: https://thehackernews.com/2026/04/april-patch-tuesday-fixes-critical.html