Patch Tuesday: May 2026 (Expel’s version)

Patch Tuesday (May 12, 2026) covers 137 CVEs (16 critical) with prioritized fixes for Windows RDS EoP (CVE-2026-40398), SharePoint RCE (CVE-2026-40365), and Windows DNS Client RCE (CVE-2026-41096). The report also highlights Fortinet authentication-bypass vulnerabilities—including active proof-of-concept exploitation for CVE-2026-35616 and an SOC-observed FortiGate compromise via CVE-2024-55591—and stresses timely patching and avoiding direct exposure of management interfaces.