Here we go again. May Patch Tuesday landed with a wide mix of enterprise, cloud, endpoint, browser, creative software, and infrastructure security updates. The biggest themes this month are remote code execution, command injection, SQL injection, authorization failures, privilege escalation, and denial-of-service issues.
Several vendors released critical updates on May 12, including SAP, Fortinet, Ivanti, Mozilla, Adobe, and Microsoft. Organizations should prioritize externally exposed systems, identity-connected services, remote access tooling, business-critical platforms, and products that process untrusted files.
Executive Summary
May 2026 Patch Tuesday includes notable security updates across SAP, Fortinet, Ivanti, Mozilla Firefox, Adobe, and Microsoft.
The highest-risk items this month include critical vulnerabilities in SAP S/4HANA, SAP Commerce Cloud, FortiSandbox, Ivanti Xtraction, Adobe Connect, Adobe Commerce, Microsoft Office, Microsoft SharePoint, Windows DNS, Windows Netlogon, Windows GDI, Hyper-V, Dynamics 365, and several Adobe creative products.
While not every vulnerability is remotely exploitable without authentication, many affect widely deployed enterprise products. Some require user interaction, local access, or authenticated access, but they still matter because attackers often chain lower-privilege bugs with phishing, stolen credentials, exposed services, or post-compromise movement.
Critical Severity Updates
SAP Security Patch Day: May 2026
SAP released 15 new security notes on May 12, 2026. Two are rated Critical, both with a CVSS score of 9.6.
SAP S/4HANA Enterprise Search for ABAP CVE-2026-34260
SAP Note: 3724838 | Severity: Critical | CVSS: 9.6
SQL injection in SAP S/4HANA Enterprise Search for ABAP. SQL injection issues may allow an attacker to manipulate backend database queries, leading to unauthorized data access, data modification, or broader compromise. Affected versions include SAP_BASIS 751 through 758 and 816.
Priority: Patch quickly, especially where S/4HANA search components are exposed to a broad user base.
SAP Commerce Cloud Configuration CVE-2026-34263
SAP Note: 3733064 | Severity: Critical | CVSS: 9.6
Missing authentication check in SAP Commerce Cloud configuration. Missing authentication checks may allow access to functionality that should require a verified user. Affected versions: HY_COM 2205, COM_CLOUD 2211, and 2211-JDK21.
Priority: High priority for any organization using SAP Commerce Cloud, especially internet-facing commerce environments.
Fortinet
FortiSandbox / FortiSandbox Cloud / FortiSandbox PaaS CVE-2026-26083
FG-IR-26-136 | Severity: Critical
Missing authorization vulnerability affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. The advisory notes the issue is reachable through the GUI and listed as internal unauthenticated.
Authorization bugs in sandboxing platforms are important because these systems sit close to malware analysis, file inspection, and threat detection workflows. A bypass could expose sensitive security data or allow unauthorized actions.
Priority: Review FortiSandbox deployments and patch according to Fortinet guidance.
Ivanti
Ivanti Xtraction CVE-2026-8043
Severity: Critical | CVSS: 9.6
External control of a file name in Ivanti Xtraction before version 2026.2. A remote authenticated attacker could read sensitive files and write arbitrary HTML files to a web directory leading to information disclosure and possible client-side attacks.
Affected versions: Ivanti Xtraction 2026.1 and prior | Fixed version: 2026.2
Ivanti stated it is not aware of active exploitation at the time of disclosure.
Priority: Patch quickly, especially where Xtraction is used by many users or integrated with sensitive reporting data.
Mozilla Firefox
Firefox 150.0.3 Mozilla Foundation Security Advisory 2026-45
Impact: High
Mozilla fixed multiple high-impact vulnerabilities in Firefox 150.0.3, including issues in the JavaScript engine, JIT compiler, WebAssembly, and Profile Backup components:
- CVE-2026-8388: Incorrect boundary conditions in JavaScript Engine JIT
- CVE-2026-8389: JIT miscompilation in JavaScript Engine JIT
- CVE-2026-8390: Use-after-free in JavaScript WebAssembly
- CVE-2026-8391: Other JavaScript Engine issue
- CVE-2026-8401: Sandbox escape in Profile Backup
Browser vulnerabilities deserve fast attention because browsers process untrusted content constantly. Even when a vulnerability requires a crafted webpage, that is still a realistic attack path through phishing, malvertising, or compromised websites.
Priority: Update Firefox to 150.0.3.
Adobe
Adobe had a large Patch Tuesday release covering creative applications, commerce software, SDKs, and collaboration tools. Many issues involve arbitrary code execution through memory corruption or unsafe file handling.
Adobe Connect APSB26-50
Severity: Critical
Two critical vulnerabilities in the Adobe Connect Desktop Application:
- CVE-2026-34659: Deserialization of untrusted data arbitrary code execution CVSS 9.6
- CVE-2026-34660: Incorrect authorization privilege escalation CVSS 9.3
Fixed versions: Windows 2026.3.125 | macOS 2026.01.39
This is one of Adobe's highest-priority items this month given the CVSS scores and the combination of code execution with privilege escalation.
Adobe Commerce and Magento Open Source APSB26-49
Severity: Critical, Important, Moderate
Adobe Commerce and Magento Open Source received a broad set of fixes covering arbitrary code execution, arbitrary file system write, application denial-of-service, and security feature bypass. Critical CVEs include CVE-2026-34645 through CVE-2026-34653 and CVE-2026-34686.
Fixed versions include Adobe Commerce 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18; Commerce B2B 1.5.3, 1.5.2-p5, 1.4.2-p10; and Magento Open Source 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15.
Commerce platforms are high-value targets because they handle customer data, payments, admin workflows, and third-party integrations. Even when exploitation requires authentication, compromised admin or user accounts can turn these vulnerabilities into serious incidents.
Adobe Premiere Pro APSB26-46
Severity: Critical
Three critical arbitrary code execution vulnerabilities (CVE-2026-34636, CVE-2026-34637, CVE-2026-34638) including out-of-bounds write and use-after-free flaws. Exploitation requires a victim to open a malicious file. Fixed versions: Adobe Premiere 26.2 and Adobe Premiere Pro 25.6.5.
Adobe Media Encoder APSB26-47
Severity: Critical
Critical arbitrary code execution issues (CVE-2026-34639, CVE-2026-34640). Fixed versions: Adobe Media Encoder 25.6.5 and 26.2.
Adobe After Effects APSB26-48
Severity: Critical
Multiple critical memory corruption issues (CVE-2026-34690, CVE-2026-34642, CVE-2026-34643, CVE-2026-34644) that could lead to arbitrary code execution through malicious files. Fixed versions: Adobe After Effects 25.6.5 and 26.2.
Adobe Illustrator APSB26-51
Severity: Critical and Important
Critical code execution vulnerabilities (CVE-2026-34661, CVE-2026-34687) plus important issues including application denial-of-service and memory exposure. Fixed versions: Illustrator 2025 version 29.8.7 and Illustrator 2026 version 30.4.
Adobe Substance 3D Sampler APSB26-54
Severity: Critical
Heap-based buffer overflow leading to arbitrary code execution (CVE-2026-34674). Fixed version: Substance 3D Sampler 6.0.
Adobe Substance 3D Painter APSB26-55
Severity: Critical
Two out-of-bounds write vulnerabilities (CVE-2026-34675, CVE-2026-34676) leading to arbitrary code execution. Fixed version: Substance 3D Painter 12.0.3.
Adobe Content Authenticity SDK APSB26-53
Severity: Critical and Important
Denial-of-service vulnerabilities including one critical uncontrolled resource consumption issue (CVE-2026-34665). Updated versions: Content Authenticity JS SDK @contentauth/c2pa-web@0.7.1 and Rust SDK c2pa-v0.80.1.
Microsoft
Microsoft's May 2026 release includes multiple Critical vulnerabilities across Windows, Office, SharePoint, Dynamics 365, Hyper-V, DNS, Netlogon, and related components.
Microsoft Dynamics 365 On-Premises CVE-2026-42898
Severity: Critical | Impact: Remote Code Execution
Dynamics 365 on-premises environments should be reviewed closely because business applications often contain sensitive operational and customer data.
Microsoft SSO Plugin for Jira & Confluence CVE-2026-41103
Severity: Critical | Impact: Elevation of Privilege
Identity and SSO-related vulnerabilities deserve special attention. Weaknesses in authentication or authorization plugins can create paths into connected business systems.
Windows Graphics Component CVE-2026-40403
Severity: Critical | Impact: Remote Code Execution
Graphics parsing bugs can be triggered through crafted files or content depending on the attack path.
Windows Hyper-V CVE-2026-40402
Severity: Critical | Impact: Elevation of Privilege
Hyper-V vulnerabilities matter in virtualized environments because host and guest isolation is a major security boundary.
Microsoft Word CVE-2026-40367, CVE-2026-40366, CVE-2026-40364, CVE-2026-40361
Severity: Critical | Impact: Remote Code Execution
Office document-based vulnerabilities remain a common phishing path. Users opening malicious documents can expose endpoints to code execution risk.
Microsoft SharePoint Server CVE-2026-40365
Severity: Critical | Impact: Remote Code Execution
SharePoint is frequently internet-facing or broadly accessible inside enterprise environments. Remote code execution in SharePoint should be treated as a high priority.
Microsoft Office CVE-2026-40358, CVE-2026-40363, CVE-2026-42831
Severity: Critical | Impact: Remote Code Execution
These affect Microsoft Office broadly and should be prioritized on endpoints, VDI images, and managed desktop fleets.
Windows Native WiFi Miniport Driver CVE-2026-32161
Severity: Critical | Impact: Remote Code Execution
Wireless stack vulnerabilities may be reachable through proximity-based attack scenarios depending on exploit requirements.
Windows DNS Client CVE-2026-41096
Severity: Critical | Impact: Remote Code Execution
DNS client issues can be serious because DNS is used constantly and often automatically by systems.
Windows Netlogon CVE-2026-41089
Severity: Critical | Impact: Remote Code Execution
Netlogon is a sensitive Windows authentication component. Vulnerabilities here should be reviewed quickly in domain environments.
Windows GDI CVE-2026-35421
Severity: Critical | Impact: Remote Code Execution
GDI vulnerabilities often involve crafted content or documents and should be prioritized on workstations and servers that process files.
High Severity Updates
SAP Forecasting & Replenishment CVE-2026-34259
SAP Note: 3732471 | Severity: High | CVSS: 8.2
OS command injection in SAP Forecasting & Replenishment. Command injection can allow attackers to run operating system commands through vulnerable application logic. Affected versions: SCM 702, 712, 713, 714.
Fortinet FortiOS CAPWAP Daemon CVE-2025-53844
FG-IR-26-123 | Severity: High
Out-of-bounds write in the FortiOS CAPWAP daemon. CAPWAP is associated with wireless access point control, so organizations with Fortinet wireless infrastructure should review exposure and patch status.
Ivanti Secure Access Client CVE-2026-7432
Severity: High | CVSS: 7.8
Race condition in Ivanti Secure Access Client before 22.8R6 allows a local authenticated user to escalate privileges to SYSTEM. Affected: 22.8R5 and prior | Fixed: 22.8R6.
Privilege escalation bugs are often used after initial access to move from a standard user account to full system control.
Ivanti Virtual Traffic Manager CVE-2026-8051
Severity: High | CVSS: 7.2
OS command injection in Ivanti Virtual Traffic Manager before 22.9r4. A remote authenticated attacker with admin privileges could achieve remote code execution. Affected: 22.9r3 and prior | Fixed: 22.9r4.
Ivanti Endpoint Manager CVE-2026-8110 and CVE-2026-8111
CVE-2026-8110: Local privilege escalation via incorrect permissions (CVSS 7.8) CVE-2026-8111: SQL injection in web console enabling remote code execution for authenticated attackers (CVSS 8.8)
Affected: Ivanti EPM 2024 SU5 and prior | Fixed: Ivanti EPM 2024 SU6
Endpoint management platforms are high-value targets because they control software deployment, endpoint configuration, and administrative workflows.
Medium and Important Updates Worth Noting
SAP medium severity notes this month cover NetWeaver, ABAP Platform, SAP BusinessObjects, Strategic Enterprise Management, SAPUI5, Financial Consolidation, and Incentive and Commission Management. Notable categories include OS command injection, missing authorization checks, cross-site scripting, CSRF, code injection, and denial-of-service. Even lower-CVSS SAP vulnerabilities carry operational risk because SAP systems support finance, procurement, HR, supply chain, and customer-facing processes.
Fortinet medium severity advisories affect FortiAP, FortiAP-U, FortiAP-W2, FortiAnalyzer, and FortiManager with issues including command injection in CLI, unsafe function usage in signal handlers, and authenticated internal attack paths. These are especially relevant in managed network environments.
Adobe Substance 3D Designer received important fixes for arbitrary file system read and arbitrary code execution. Affected: 15.1.0 and earlier | Fixed: 16.0.1.
Microsoft important-rated fixes this month cover Windows TCP/IP, Remote Desktop Services, Common Log File System Driver, Telephony Service, SQL Server, Excel, SharePoint, .NET, ASP.NET Core, Teams, Visual Studio Code, Azure components, Power Automate, Windows Print Spooler, Windows Kernel, and Edge. These should be included in normal patch cycles with priority based on exposure and asset criticality.
What Security Teams Should Do First
Patch internet-facing services first. Prioritize SAP Commerce Cloud, Adobe Commerce, SharePoint, Ivanti appliances, Fortinet services, and any remote access or traffic management systems.
Prioritize remote code execution risk. Focus on Microsoft Office, SharePoint, Windows DNS, Netlogon, Adobe Connect, Adobe creative tools, Ivanti EPM, and Adobe Commerce.
Review privileged platforms. Endpoint management, SSO plugins, Hyper-V, traffic managers, and firewall/security appliances can affect many downstream systems if compromised.
Update browsers quickly. Firefox 150.0.3 should be deployed promptly. Browser vulnerabilities remain a common entry point through phishing, malvertising, and compromised websites.
Do not ignore authenticated vulnerabilities. Many advisories require authentication, but attackers obtain credentials through phishing, password reuse, infostealers, exposed tokens, or prior compromise.
Check vendor portals for exact fixes. Patch availability, fixed builds, compatibility requirements, and workarounds vary by version and deployment model.
Practical Risk Takeaway
This month's Patch Tuesday is not just a desktop patching event. It touches enterprise applications, commerce platforms, network security products, remote access clients, development tools, browsers, virtualization, identity-related plugins, and media applications.
The most urgent patching work should focus on:
- SAP S/4HANA and SAP Commerce Cloud
- FortiSandbox and affected Fortinet infrastructure
- Ivanti Xtraction, EPM, Secure Access Client, and Virtual Traffic Manager
- Adobe Connect and Adobe Commerce
- Microsoft Office, SharePoint, Windows DNS, Netlogon, Hyper-V, and Dynamics 365
- Firefox 150.0.3
For workstations, prioritize Microsoft Office, Adobe applications, Firefox, and any software used to open files from external sources. For servers, prioritize exposed web apps, authentication systems, remote access components, domain infrastructure, and management platforms.
This report is based on vendor advisories available for the May 12, 2026 Patch Tuesday cycle. It is intended to help security teams prioritize updates. Please verify patch status directly with each vendor. This is not a complete list of all May 2026 security updates.
Sources: - Microsoft Security Response Center - Fortinet PSIRT - Ivanti May 2026 Security Update - Mozilla Security Advisory MFSA2026-45 - Adobe Security Bulletins - SAP Security Notes May 2026