Patch [Fix] Tuesday April 2026: SQL Server Privilege Escalation, SharePoint XSS, and 80 Chromium Fixes

Tax Day isn't the only deadline this week. This month's Patch Tuesday delivers a SQL Server elevation of privilege that bypasses role separation entirely, an actively exploited cross-site scripting (XSS) flaw in SharePoint, and 80 Edge and Chromium vulnerabilities that were also released this month.

The common thread: input validation. SQL injection in the database engine, XSS in SharePoint, and memory safety flaws across Chromium all trace back to code that trusted its input when it shouldn't have. One of these is already being exploited in the wild.

For the full breakdown, listen to the Patch [FIX] Tuesday podcast.

SQL Server elevation of privilege vulnerability

CVE-2026-33120 (CVSS 8.8/10) is a SQL injection vulnerability in the Microsoft SQL Server database engine itself, not in a web application or front-end form. An attacker who already holds high-level privileges on the local system can exploit this flaw to escalate to SQL sysadmin, the highest permission level within a SQL Server instance. Once there, they own the data, the configuration, and the ability to execute operating system commands through the database.

This CVE drops alongside a separate SQL Server remote code execution (RCE) vulnerability in the same cycle. One bug allows an attacker to get into your SQL instance from the network. The other lets someone already inside promote themselves to full control. The elevation of privilege flaw is not actively exploited at the time of writing, but its pairing with an RCE in the same release makes patching urgent.

Organizations that share service accounts across SQL Server functions face the worst outcome here. A single over-privileged account turns a contained escalation into an environment-wide compromise.

How attackers may exploit this vulnerability

• An attacker with an existing foothold on a system hosting SQL Server injects crafted SQL statements that bypass normal privilege boundaries, promoting their session to sysadmin.

• If the companion RCE is also unpatched, the attacker can chain initial network access into full database control in two steps.

• Shared service accounts that authenticate to multiple SQL instances make lateral movement easy – sysadmin access on one server exposes credentials for the rest.

What to look out for

• Unexpected privilege changes on SQL Server instances, particularly accounts gaining sysadmin or db_owner roles outside of scheduled maintenance windows.

• Service accounts authenticating to SQL Server from unusual source systems or at irregular times – a sign that credentials may be compromised.

• SQL Server audit logs showing xp_cmdshell execution or other operating system command activity from accounts that should not have sysadmin privileges.

Mitigation guidance

• Apply the Microsoft patch immediately.

• Audit your SQL Server role assignments. Identify which accounts hold sysadmin and reduce that list to the minimum required.

• Implement one service account per function. Shared service accounts multiply the blast radius of any compromise.

• Enable SQL Server auditing for privilege changes and command execution. Detection matters when prevention fails.

– Ryan Braunstein, Security Manager of Security and IT, Automox

SharePoint cross-site scripting vulnerability

CVE-2026-32201 (CVSS 6.5/10) is a cross-site scripting vulnerability in Microsoft SharePoint, and attackers are actively exploiting it. The root cause is an input validation failure. An unauthenticated attacker can inject malicious scripts through improperly sanitized input fields without needing prior privileges.

Microsoft has confirmed exploitation in the wild. The 6.5 CVSS score understates the risk because this flaw requires no authentication. External threats can target internet-facing SharePoint instances directly. On-premises SharePoint servers exposed to the internet carry the highest risk. SharePoint often connects to back-end storage, directory services, and internal collaboration tools. A successful XSS exploit gives attackers a path deeper into your environment.

XSS and SQL injection still show up in 2026. Codebases are growing larger and more complex, and AI-generated code introduces patterns that haven't been battle-tested. Automated code still needs manual security review.

How attackers may exploit this vulnerability

• Malicious JavaScript injected through unvalidated input fields executes in the browser of any user who visits the compromised SharePoint page.

• From there, the attacker can steal session cookies or authentication tokens, enabling account takeover without credential theft.

• The XSS foothold also opens the door to phishing redirects and malicious payload downloads, turning a single flaw into a broader campaign.

• External-facing SharePoint sites are the most exposed, since attackers can reach users outside the corporate network without touching perimeter defenses.

What to look out for

• Unexpected script execution or iframe injection on SharePoint pages, particularly on sites accessible to external users.

• Session token reuse or authentication events from unfamiliar IP addresses shortly after users interact with SharePoint content.

• Users reporting unexpected redirects, login prompts, or file download requests when accessing SharePoint pages they visit regularly.

Mitigation guidance

• Patch immediately. Active exploitation means this vulnerability is not theoretical. Attackers are using it now.

• Audit your SharePoint exposure. Identify which instances are accessible from the internet and prioritize those for patching. If you run on-premises SharePoint exposed to the public internet, patch those instances first.

• Review Content Security Policy (CSP) headers on your SharePoint instances. A properly configured CSP can limit the impact of XSS by restricting which scripts the browser will execute.

• Monitor authentication logs for session hijacking indicators: multiple sessions from the same token, geographic anomalies, or authentication events that don't match expected user behavior.

– Mat Lee, Senior Security Engineer, Automox

Microsoft released fixes for approximately 80 Edge and Chromium-based vulnerabilities this cycle – roughly three-quarters of the entire Patch Tuesday advisory sheet. None are confirmed as actively exploited.

Edge and Chromium patches are far easier to deploy than SQL Server or SharePoint updates. There are no database migrations, no downtime windows, and no complex dependency chains. You can push browser updates across your fleet in minutes, making this a low-effort, high-return patching target.

With 80 fixes on the table, the risk of leaving any of them unpatched outweighs the minimal disruption of a browser restart.

How attackers may exploit these vulnerabilities

• Malicious websites or compromised ads can trigger memory corruption, use-after-free, or type confusion flaws in the rendering engine of an unpatched browser.

• Multiple browser vulnerabilities chained together can escape the sandbox and give the attacker code execution on the underlying operating system.

• In targeted phishing campaigns, a single click on a malicious link may be enough to compromise the endpoint through one of these flaws.

What to look out for

• Browser crashes or unexpected restarts, which can indicate exploitation attempts targeting memory safety vulnerabilities.

• Endpoint detection alerts related to browser child processes spawning unusual system calls or writing to protected directories.

• Users reporting strange behavior on websites they visit regularly – a potential sign of watering hole attacks targeting known browser flaws.

Mitigation guidance

• Update Edge and Chromium-based browsers across your environment immediately. The low deployment friction makes delaying this patch cycle difficult to justify.

• Enable automatic browser updates where possible, and verify that update policies aren't being blocked by group policy conflicts or network restrictions.

• Use browser isolation or sandboxing for high-risk users – those who regularly access external websites or click links in email – to contain any exploitation that occurs before patches are applied.

• Review your browser extension inventory. Third-party extensions can introduce additional attack surface and may not receive patches on the same cycle as the browser itself.

– Mat Lee, Senior Security Engineer, Automox

Update your BIOS, firmware, and operating systems every month this year. These updates deliver the rotated Secure Boot certificates that must be in place before Microsoft's current certificates expire.

Endpoints that miss the window won't be able to install updates signed with the new certificates.

A 6.5-rated XSS flaw under active exploitation demands faster action than an 8.8 that hasn't been seen in the wild. Patch order should follow real-world risk, not CVSS alone.

Beyond patching: scope your service accounts and audit which services hold more privilege than they need. Keep your browsers current – it's the lowest-friction update you'll apply all month.

And don't let those Secure Boot certificates slip until next month.

• Microsoft Security Response Center – April 2026 Security Updates – Full list of April 2026 Patch Tuesday advisories and CVSS scores

• OWASP – Cross-Site Scripting (XSS) – Background on XSS attack types and prevention strategies

• CISA – Known Exploited Vulnerabilities Catalog – Authoritative tracker for actively exploited CVEs, including CVE-2026-32201

• Microsoft – Secure Boot Key Update Guidance – Guidance on rotating Secure Boot certificates ahead of expiration