In May 2026, five major vendors — Ivanti, Fortinet, SAP, n8n and Broadcom (VMware) — released fixes for 11 critical vulnerabilities with CVSS scores from 7.8 to 9.6. The greatest risk comes from vulnerabilities in SAP S/4HANA and SAP Commerce (CVSS 9.6), as well as five vulnerabilities in the n8n automation platform (CVSS 9.4) that enable remote code execution. There were no reports of active exploitation at the time of publication, but the high severity ratings and availability of patches require prompt action.

SAP: SQL injection and authentication bypass with CVSS 9.6

SAP has fixed two critical vulnerabilities, confirmed by entries in the NVD:

• CVE-2026-34260 (CVSS 9.6) — SQL injection in SAP S/4HANA. According to Pathlock, the vulnerability allows an authenticated attacker with low privileges to inject malicious SQL code via user input, which may lead to disclosure of sensitive database information and application crashes. At the same time, the vulnerable code only permits data reads and does not compromise integrity.
• CVE-2026-34263 (CVSS 9.6) — missing authentication checks in SAP Commerce Cloud configuration. According to the Onapsis analysis, the root cause is an overly permissive security configuration with an incorrect rule order, which lets an unauthenticated user upload a malicious configuration and execute arbitrary server-side code.

Both vulnerabilities are described in the May SAP Security Patch Day bulletin. CVE-2026-34263 is particularly dangerous: it does not require authentication and opens the door to full arbitrary code execution on the server.

n8n: five remote code execution vulnerabilities

The workflow automation platform n8n has disclosed five critical vulnerabilities, each with a CVSS score of 9.4. All require authentication and permissions to create or modify workflows, but once those conditions are met, they allow complete host compromise:

• CVE-2026-42231 — prototype pollution via the xml2js library in the webhook handler, leading to remote code execution through a specially crafted XML payload.
• CVE-2026-42232 — global prototype pollution via the XML node, resulting in remote code execution when combined with other nodes.
• CVE-2026-44791 — a bypass of the fix for CVE-2026-42232, reopening the possibility of remote code execution.
• CVE-2026-44789 — global prototype pollution via an unvalidated pagination parameter in the HTTP Request node.
• CVE-2026-44790 — CLI flag injection in the Git node’s Push operation, allowing reading of arbitrary files from the n8n server and resulting in full compromise.

Notably, CVE-2026-44791 is a bypass of a previously released fix — a classic example of an initial patch proving insufficient. Fixes for the first two vulnerabilities are included in versions 1.123.32, 2.17.4 and 2.18.1, and for the remaining three — in versions 1.123.43, 2.20.7 and 2.22.1.

Fortinet: code execution without authentication

Fortinet has published advisories for two critical vulnerabilities, each with a CVSS score of 9.1:

• CVE-2026-44277 — improper access control in FortiAuthenticator, allowing an unauthenticated attacker to execute unauthorized code via specially crafted requests. Fixed in versions 6.5.7, 6.6.9 and 8.0.3.
• CVE-2026-26083 — missing authorization in the web interface of FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS, allowing an unauthenticated attacker to execute code via HTTP requests. Fixed in FortiSandbox 4.4.9 and 5.0.2, FortiSandbox Cloud 5.0.6 and FortiSandbox PaaS 4.4.9 and 5.0.2.

Neither vulnerability requires authentication, which significantly increases the risk. Fortinet products have long been an attractive target for attackers because they are typically deployed at the network perimeter.

Ivanti Xtraction and VMware Fusion

As stated in the Ivanti advisory, vulnerability CVE-2026-8043 (CVSS 9.6) in Ivanti Xtraction prior to version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files into the web directory. This leads to information disclosure and potential client-side attacks.

Broadcom has fixed vulnerability CVE-2026-41702 (CVSS 7.8) in VMware Fusion. According to the Broadcom advisory, this is a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation executed by a binary with the SETUID flag. A local user without administrative privileges can escalate privileges to root. The fix is included in version 26H1.

Prioritization recommendations

When planning updates, the following priority order is recommended:

1. Highest priority: Fortinet vulnerabilities (CVE-2026-44277, CVE-2026-26083) and SAP Commerce (CVE-2026-34263) — do not require authentication and allow arbitrary code execution.
2. High priority: n8n vulnerabilities (all five CVEs) — require authentication but lead to full host compromise; SAP S/4HANA (CVE-2026-34260) — SQL injection with data access.
3. Standard priority: Ivanti Xtraction (CVE-2026-8043) — requires authentication and is limited to information disclosure; VMware Fusion (CVE-2026-41702) — requires local access.

Patches are already available for all of the vulnerabilities listed. Organizations using affected products should apply updates within the next 24–72 hours for top-priority vulnerabilities and in the course of their standard update cycle for the rest. Special attention should be paid to Fortinet products at the network perimeter: the lack of an authentication requirement combined with the potential for code execution makes these vulnerabilities the most likely candidates for early exploitation attempts.