Fortinet FortiClient EMS faces dual critical-severity exposure this period. CVE-2026-35616 (CVSS 9.8, CISA KEV, federal remediation deadline April 9, 2026) is an actively exploited improper access control flaw enabling unauthenticated remote code execution; this is the highest-urgency item in the rollup. CVE-2026-21643 (CVSS 9.8) is a critical SQL injection in the EMS administrative interface with lower current EPSS but significant credential and data exposure potential. Both vulnerabilities require immediate patching via FortiGuard PSIRT advisories; restrict EMS management interface access to trusted networks without delay.