A wave of critical patches landed across enterprise vendors. Fortinet shipped fixes for two unauthenticated code-execution flaws (CVE-2026-44277 in FortiAuthenticator, CVE-2026-26083 in FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS, both CVSS 9.1). SAP patched a 9.6-rated SQL injection in S/4HANA and a missing-auth check in SAP Commerce that allows unauthenticated code execution. Ivanti Xtraction got a fix for arbitrary file read and write. Broadcom patched a VMware Fusion macOS local-privilege-escalation (CVE-2026-41702). And the n8n automation platform shipped five CVSS 9.4 issues, including XML-driven prototype pollution that authenticated workflow editors could turn into RCE.
The Pwn2Own Berlin 2026 contest wrapped up Saturday at OffensiveCon, paying out $1,298,250 for 47 unique zero-days across three days. Taiwan's DEVCORE took the Master of Pwn title with 50.5 points and $505,000 in winnings. The headline Day 3 result came from DEVCORE researcher splitline, who chained two bugs into a successful exploit of Microsoft SharePoint, earning $100,000 and 10 points. SharePoint had survived a failed Rapid7 attempt on Day 2, making this a notable late-contest catch. Day 3 also saw attempts against VMware ESXi, Windows 11, Red Hat Enterprise Linux, and OpenAI Codex. All disclosed bugs now enter ZDI's 90-day disclosure window.