FORTINET and Ivanti on Tuesday announced patches for 18 vulnerabilities across their product portfolios, including three critical-severity bugs.
Fortinet published 11 advisories describing as many bugs, among them CVE-2026-44277 (CVSS 9.1) an improper access control issue in FortiAuthenticator and CVE-2026-26083 (CVSS 9.1) a missing authorization weakness affecting FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI, with remote, unauthenticated attackers able to trigger code execution via crafted requests;
Fortinet also fixed a high-severity out-of-bounds write vulnerability, CVE-2025-53844, in the FortiOS capwap daemon that requires control of an authenticated FortiAP, FortiExtender or FortiSwitch. Ivanti published four advisories detailing seven defects across Secure Access Client, Xtraction, Virtual Traffic Manager and EPM, including CVE-2026-8043 (CVSS 9.6) described as external control of a file name that could enable remote reading of sensitive files and writing of arbitrary HTML files.
In total, successful exploitation of these vulnerabilities could lead to arbitrary code execution, information disclosure or privilege escalation; both vendors said they were not aware of any exploits in the wild. According to Fortinet, several medium-severity flaws were also addressed across FortiDeceptor WEB UI, FortiAP, FortiAnalyzer, FortiManager and other products. The patches come as part of a coordinated security update cycle published on 13 May 2026.