It’s Patch Tuesday, which means a number of software vendors have released patches for various security vulnerabilities impacting their products and services.
Microsoft issued fixes for 59 flaws, including six actively exploited zero-days in various Windows components that could be abused to bypass security features, escalate privileges, and trigger a denial-of-service (DoS) condition.
Elsewhere, Adobe released updates for Audition, After Effects, InDesign Desktop, Substance 3D, Bridge, Lightroom Classic, and DNG SDK. The company said it’s not aware of in-the-wild exploitation of any of the shortcomings.
SAP shipped fixes for two critical-severity vulnerabilities, including a code injection bug in SAP CRM and SAP S/4HANA (CVE-2026-0488, CVSS score: 9.9) that an authenticated attacker could use to run an arbitrary SQL statement and lead to a full database compromise.
The second critical vulnerability is a case of a missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform (CVE-2026-0509, CVSS score: 9.6) that could permit an authenticated, low-privileged user to perform certain background Remote Function Calls without the required S_RFC authorization.
“To patch the vulnerability, customers must implement a kernel update and set a profile parameter,” Onapsis said. “Adjustments in user roles and UCON settings might be required to not interrupt business processes.”
Rounding off the list, Intel and Google said they teamed up to examine the security of Intel Trust Domain Extensions (TDX) 1.5, uncovering five vulnerabilities in the module (CVE-2025-32007, CVE-2025-27940, CVE-2025-30513, CVE-2025-27572, and CVE-2025-32467), and nearly three dozen weaknesses, bugs, and improvement suggestions.
“Intel TDX 1.5 introduces new features and functionality that bring confidential computing significantly closer to feature parity with traditional virtualization solutions,” Google said. “At the same time, these features have increased the complexity of a highly privileged software component in the TCB [Trusted Computing Base].”
Software Patches from Other Vendors
Security updates have also been released by other vendors in recent weeks to rectify several vulnerabilities, including —
- ABB
- Amazon Web Services
- AMD
- AMI
- Apple
- ASUS
- AutomationDirect
- AVEVA
- Broadcom (including VMware)
- Canon
- Check Point
- Cisco
- Citrix
- Commvault
- ConnectWise
- D-Link
- Dassault Systèmes
- Dell
- Devolutions
- dormakaba
- Drupal
- F5
- Fortinet
- Foxit Software
- FUJIFILM
- Fujitsu
- Gigabyte
- GitLab
- Google Android and Pixel
- Google Chrome
- Google Cloud
- Grafana
- Hikvision
- Hitachi Energy
- HP
- HP Enterprise (including Aruba Networking and Juniper Networks)
- IBM
- Intel
- Ivanti
- Lenovo
- Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- MongoDB
- Moxa
- Mozilla Firefox and Thunderbird
- n8n
- NVIDIA
- Phoenix Contact
- QNAP
- Qualcomm
- Ricoh
- Rockwell Automation
- Samsung
- Schneider Electric
- ServiceNow
- Siemens
- SolarWinds
- Splunk
- Spring Framework
- Supermicro
- Synology
- TP-Link
- WatchGuard
- Zoho ManageEngine
- Zoom, and
- Zyxel
