Ivanti, Fortinet, n8n, SAP, and VMware have released security fixes for various vulnerabilities that could be exploited by bad actors to bypass authentication and execute arbitrary code.

Topping the list is a critical flaw impacting Ivanti Xtraction (CVE-2026–8043, CVSS score: 9.6) that could be exploited to achieve information disclosure or client-side attacks.

“External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible client-side attacks,” Ivanti said in an advisory.

Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database.

One of the flaws is tracked as CVE-2026–4782 and can be exploited in all versions of the plugin through 3.15.2 by an authenticated users with at least subscriber-level access to read the contents of any file on the server.

The other security issue received the identifier CVE-2026–4798 and is an SQL injection that can be leveraged without authentication. However, exploitation is possible only if the WooCommerce e-commerce plugin for WordPress has been enabled and then deactivated.

Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was “by design.”

This behavior was disclosed on May 4 by security researcher Tom Jøran Sønstebyseter Rønning, who demonstrated that all credentials stored in the Edge built-in password manager were decrypted on launch and kept in memory even when not in use.

Rønning also released a proof-of-concept (PoC) tool that would allow attackers with Administrator privileges to dump passwords from other users’ Edge processes (without admin privileges, the PoC only allows accessing Edge processes launched by the same user).