APRIL’S Patch Tuesday fixes a string of critical flaws across SAP, Adobe, Microsoft, Fortinet and more, led by an SQL injection flaw in SAP Business Planning and Consolidation and SAP Business Warehouse (CVE-2026-27681, CVSS 9.9) that could allow arbitrary database commands, with warnings that manipulated planning figures and data theft could disrupt close processes and executive reporting.
The lineup also includes a critical remote code execution in Adobe Acrobat Reader (CVE-2026-34621, CVSS 8.6) currently under active exploitation, and a batch of Adobe ColdFusion flaws (CVE-2026-34619, CVSS 7.7; CVE-2026-27304, CVSS 9.3; CVE-2026-27305, CVSS 8.6; CVE-2026-27282, CVSS 7.5; CVE-2026-27306, CVSS 8.4) that could enable arbitrary code execution or security feature bypass.
Fortinet addressed two FortiSandbox vulnerabilities (CVE-2026-39813 and CVE-2026-39808, both CVSS 9.1) that could permit unauthenticated bypass of authentication or code execution, while Microsoft patched a broader set of 169 defects, including a spoofing vulnerability in SharePoint Server (CVE-2026-32201, CVSS 6.5) flagged as being actively exploited.
According to Onapsis, the SAP SQL injection could allow a low-privileged user to upload SQL statements that are executed against BW/BPC data stores, risking data theft and data integrity, and Pathlock notes that such flaws could undermine close processes and reporting.