April Patch Tuesday vulnerabilities

A security update is not one patch this month; it is a queue of fixes across business software, browsers, phones, firewalls, cloud tools, and Linux servers released on and around Tuesday, April 14. (thehackernews.com) The most severe issue in this batch is SAP flaw CVE-2026-27681, a CVSS 9.9 SQL injection bug in SAP Business Planning and Consolidation and SAP Business Warehouse. The Hacker News, citing Onapsis, said a low-privileged user could upload a file with SQL statements that the vulnerable program would execute. (thehackernews.com) Microsoft’s April 2026 release notes show a new Patch Tuesday drop for April, and Adobe published Acrobat and Reader bulletin APSB26-43 on April 11. Adobe said that update fixes a critical code-execution flaw, CVE-2026-34621, and that it is aware of exploitation in the wild. (msrc.microsoft.com, helpx.adobe.com) Patch Tuesday is the industry habit of shipping fixes on a predictable schedule, usually the second Tuesday of the month, so information technology teams can test and deploy updates in batches. SAP says its own Security Patch Day is synchronized to that same second-Tuesday cadence. (support.sap.com) That schedule now covers more than desktop software. April advisories also touched Fortinet endpoint management, Palo Alto Networks’ Chromium-based Prisma Browser, Amazon Web Services software, Apple operating systems, Google Chrome channels, Cisco infrastructure, VMware advisories hosted by Broadcom, and Linux distributions such as Ubuntu. (fortiguard.fortinet.com, security.paloaltonetworks.com, aws.amazon.com, support.apple.com, chromereleases.googleblog.com, sec.cloudapps.cisco.com, knowledge.broadcom.com, ubuntu.com) Some of those fixes are not precautionary. Fortinet said last week that it had observed exploitation in the wild against a FortiClient Enterprise Management Server issue and urged customers on versions 7.4.5 and 7.4.6 to install hotfixes. (fortiguard.fortinet.com) Apple’s recent security notices show the same pattern of emergency maintenance outside a single vendor’s monthly cycle. Apple said iOS 18.7.7 and iPadOS 18.7.7, released March 24 and expanded on April 1, were pushed to deliver protections from web attacks it called DarkSword. (support.apple.com, support.apple.com) Palo Alto Networks’ April 8 advisory for Prisma Browser folded in dozens of Chromium fixes, including memory-corruption and use-after-free bugs that can let malicious web content break browser protections. Google’s Chrome release pages show the browser teams were also shipping updates through early April across stable, extended stable, beta, and Android channels. (security.paloaltonetworks.com, chromereleases.googleblog.com, chromereleases.googleblog.com, chromereleases.googleblog.com) Cloud and server administrators are in the same patch window. Amazon Web Services lists March bulletin 2026-007-AWS for CVE-2026-4270 in the AWS API Model Context Protocol server, and Ubuntu published USN-8149-1 last week for Linux kernel vulnerabilities affecting Ubuntu 24.04 long-term support and newer releases. (aws.amazon.com, ubuntu.com) Cisco’s public advisories from late March and early April include an authentication bypass in Cisco Integrated Management Controller and bundled Cisco IOS XE fixes. Broadcom’s support portal now serves VMware security advisories, which means many enterprise teams must pull fixes and guidance from several vendor systems at once. (sec.cloudapps.cisco.com, sec.cloudapps.cisco.com, knowledge.broadcom.com) The practical problem is not just the number of bugs; it is the spread of where they live. A company can patch Windows and still leave an exposed SAP database path, a browser engine in a secure access product, an unpatched firewall manager, or a Linux kernel running underneath cloud workloads. (thehackernews.com, support.sap.com, security.paloaltonetworks.com, ubuntu.com) April’s lesson is simple: attackers only need one neglected layer, while defenders have to patch all of them on the same calendar. (thehackernews.com, msrc.microsoft.com)