Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: sap (3 articles)Clear

Critical patches from Ivanti, Fortinet, SAP, VMware Fusion, and n8n - RCE, SQL injection, prototype pollution

A wave of critical patches landed across enterprise vendors. Fortinet shipped fixes for two unauthenticated code-execution flaws (CVE-2026-44277 in FortiAuthenticator, CVE-2026-26083 in FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS, both CVSS 9.1). SAP patched a 9.6-rated SQL injection in S/4HANA and a missing-auth check in SAP Commerce that allows unauthenticated code execution. Ivanti Xtraction got a fix for arbitrary file read and write. Broadcom patched a VMware Fusion macOS local-privilege-escalation (CVE-2026-41702). And the n8n automation platform shipped five CVSS 9.4 issues, including XML-driven prototype pollution that authenticated workflow editors could turn into RCE.

Check
Pull the installed-version list for FortiAuthenticator, FortiSandbox/Cloud/PaaS, SAP S/4HANA, SAP Commerce, Ivanti Xtraction, VMware Fusion, and self-hosted n8n. Compare against the fixed versions in action_solution.
Affected
FortiAuthenticator before 6.5.7/6.6.9/8.0.3; FortiSandbox before 4.4.9/5.0.2; SAP S/4HANA, SAP Commerce, Ivanti Xtraction before 2026.2; VMware Fusion before 26H1; n8n before 1.123.32/2.17.4/2.18.1.
Fix
Upgrade FortiAuthenticator to 6.5.7/6.6.9/8.0.3, FortiSandbox to 4.4.9/5.0.2, Ivanti Xtraction to 2026.2, VMware Fusion to 26H1, and n8n to 1.123.32/2.17.4/2.18.1. Apply SAP's May notes for CVE-2026-34260 and CVE-2026-34263.

SAP patches two critical CVSS 9.6 flaws in Commerce Cloud and S/4HANA - the ERP and e-commerce platforms behind most large retailers and global enterprises (CVE-2026-34263, CVE-2026-34260)

SAP's May Patch Day included two CVSS 9.6 critical flaws. CVE-2026-34263 in Commerce Cloud is a missing authentication check from improperly ordered Spring Security rules - unauthenticated attackers can upload configurations and inject code. CVE-2026-34260 in S/4HANA is a SQL injection in the ABAP Enterprise Search component that lets low-privilege authenticated users steal sensitive database records. Both land less than two weeks after four SAP npm packages were hit in the Mini Shai-Hulud attack, putting SAP customers under compounding patch pressure.

Check
Inventory SAP Commerce Cloud and S/4HANA instances. Check note application status in Solution Manager or SAP Support Portal. Search application logs for unusual configuration upload attempts.
Affected
SAP Commerce Cloud (all on-prem before patch) - CVE-2026-34263, CVSS 9.6. S/4HANA with ABAP Enterprise Search enabled - CVE-2026-34260, CVSS 9.6. Internet-facing Commerce Cloud is at acute risk.
Fix
Apply SAP Security Notes 3733064 (Commerce Cloud) and 3724838 (S/4HANA). Restrict Commerce Cloud admin endpoints to trusted IPs. Audit Enterprise Search query logs for SQL injection signatures.

Hackers compromised four official SAP developer packages and used them to steal credentials from any developer who installed an update

Attackers compromised four official SAP npm packages on Wednesday and replaced them with versions that quietly steal developer credentials when installed. The packages - mbt, @cap-js/sqlite, @cap-js/postgres, and @cap-js/db-service - are SAP's open-source tools for cloud application development. Anyone who ran 'npm install' between 09:55 and 12:14 UTC on April 29 had their machine grab GitHub tokens, npm credentials, and AWS, Azure, and GCP secrets, then dump them into public GitHub repositories on the victim's own account. The same attackers (TeamPCP) hit Trivy, Checkmarx, and Bitwarden earlier this year. The malware skips Russian-language systems entirely.

Check
Audit your CI/CD pipelines and dev machines for the four compromised SAP packages installed between April 29 09:55 and 13:46 UTC, and rotate every credential on those machines.
Affected
Any developer or CI/CD environment that ran 'npm install' on mbt 1.2.48, @cap-js/sqlite 2.2.2, @cap-js/postgres 2.2.2, or @cap-js/db-service 2.10.1. SAP enterprise shops running CAP are at acute risk because these are core SAP development packages.
Fix
Update to clean SAP versions: @cap-js/db-service 2.11.0, @cap-js/sqlite 2.4.0, @cap-js/postgres 2.3.0. Rotate every GitHub token, npm token, and cloud credential (AWS, Azure, GCP) on machines that touched those packages. Search GitHub for repositories with the description 'A Mini Shai-Hulud has Appeared' belonging to your developers and report them to GitHub.