Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: n8n (1 article)Clear

Critical patches from Ivanti, Fortinet, SAP, VMware Fusion, and n8n - RCE, SQL injection, prototype pollution

A wave of critical patches landed across enterprise vendors. Fortinet shipped fixes for two unauthenticated code-execution flaws (CVE-2026-44277 in FortiAuthenticator, CVE-2026-26083 in FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS, both CVSS 9.1). SAP patched a 9.6-rated SQL injection in S/4HANA and a missing-auth check in SAP Commerce that allows unauthenticated code execution. Ivanti Xtraction got a fix for arbitrary file read and write. Broadcom patched a VMware Fusion macOS local-privilege-escalation (CVE-2026-41702). And the n8n automation platform shipped five CVSS 9.4 issues, including XML-driven prototype pollution that authenticated workflow editors could turn into RCE.

Check
Pull the installed-version list for FortiAuthenticator, FortiSandbox/Cloud/PaaS, SAP S/4HANA, SAP Commerce, Ivanti Xtraction, VMware Fusion, and self-hosted n8n. Compare against the fixed versions in action_solution.
Affected
FortiAuthenticator before 6.5.7/6.6.9/8.0.3; FortiSandbox before 4.4.9/5.0.2; SAP S/4HANA, SAP Commerce, Ivanti Xtraction before 2026.2; VMware Fusion before 26H1; n8n before 1.123.32/2.17.4/2.18.1.
Fix
Upgrade FortiAuthenticator to 6.5.7/6.6.9/8.0.3, FortiSandbox to 4.4.9/5.0.2, Ivanti Xtraction to 2026.2, VMware Fusion to 26H1, and n8n to 1.123.32/2.17.4/2.18.1. Apply SAP's May notes for CVE-2026-34260 and CVE-2026-34263.