CVE-2026-21643 is a pre-authentication SQL injection vulnerability (CVSS 9.8, CWE-89) in Fortinet FortiClient EMS enabling unauthenticated remote code execution via HTTP requests; CISA KEV lists this with a federal remediation deadline of April 16, 2026, making it the most time-sensitive patching obligation in this rollup. Confirmed affected version includes FortiClient EMS 7.4.4; the full 7.x affected range requires validation against the Fortinet PSIRT advisory at fortiguard.com/psirt. Any internet-facing FortiClient EMS instance should be access-restricted to trusted management IP ranges immediately, and Windows process creation auditing should be enabled on the EMS host to detect exploitation via unexpected child processes spawned by the EMS service account.