Microsoft, others patch hundreds of security flaws

Nearly 180 critical vulnerabilities have been collectively addressed by Microsoft, Adobe, SAP, and Fortinet as part of April's Patch Tuesday, The Hacker News reports.

Microsoft has patched 169 flaws, including CVE-2026-32201, a spoofing Microsoft SharePoint Server flaw. The actively exploited flaw could allow threat actors to access sensitive data. Most severe of the bugs in an SQL injection flaw, tracked as CVE-2026-27681, which could lead to the execution of arbitrary database commands on the SAP Business Planning and Consolidation and SAP Business Warehouse to corrupt or delete database content or extract sensitive information.

"The vulnerable ABAP program allows a low-privileged user to upload a file with arbitrary SQL statements that will then be executed," said an advisory from Onapsis. Two critical flaws in FortiSandbox, which could be exploited for code execution and authentication bypass, were also fixed. Adobe addressed five critical bugs in the 2023 and 2025 versions of ColdFusion. The flaws could result in security feature bypass, arbitrary code execution, arbitrary file system read, and application denial-of-service.