Critical FortiSandbox API Flaws Enable Unauthenticated Command Execution
Fortinet disclosed two critical vulnerabilities in FortiSandbox that allow remote, unauthenticated attackers to compromise exposed appliances through crafted HTTP requests. CVE-2026-39808 is an OS command injection flaw in the FortiSandbox API that can lead to unauthorized command or code execution, while CVE-2026-39813 is a path traversal issue in the JRPC API that can bypass authentication and enable privilege escalation. Both issues carry a CVSS v3 score of 9.1.
The flaws affect FortiSandbox 4.4.0 through 4.4.8, and CVE-2026-39813 also impacts 5.0.0 through 5.0.5. Fortinet released fixes in 4.4.9 for both vulnerabilities and 5.0.6 for the JRPC issue, and said it had not observed exploitation in the wild at the time of disclosure. Organizations were urged to patch immediately, review internet-exposed deployments, and restrict API access to trusted networks until upgrades are completed.
Timeline
Apr 14, 2026
Fortinet releases fixed FortiSandbox versions and mitigation guidance
Fortinet said CVE-2026-39808 is fixed in FortiSandbox 4.4.9, while CVE-2026-39813 is fixed in versions 4.4.9 and 5.0.6. The company also stated it had not observed exploitation in the wild at disclosure time and urged customers to patch, review exposed deployments, and restrict API access to trusted networks as an interim mitigation.
Apr 14, 2026
Fortinet discloses two critical FortiSandbox vulnerabilities
On 2026-04-14, Fortinet disclosed CVE-2026-39808 and CVE-2026-39813, two critical FortiSandbox flaws rated CVSS 9.1 that can be exploited remotely without authentication via crafted HTTP requests. The issues affect FortiSandbox 4.4.x, and CVE-2026-39813 also affects versions 5.0.0 through 5.0.5.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Fortinet Discloses Critical Command Injection and SQL Injection Flaws
Fortinet disclosed two high-severity vulnerabilities affecting **FortiSandbox** and **FortiDDoS-F**, both of which could allow unauthorized code or command execution. **CVE-2026-39808** is an OS command injection flaw in FortiSandbox versions `4.4.0` through `4.4.8`, mapped to `CWE-78`, with a `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating remote exploitation without authentication and high impact across confidentiality, integrity, and availability. Fortinet also disclosed **CVE-2026-39815**, an SQL injection vulnerability in FortiDDoS-F versions `7.2.1` through `7.2.2`, mapped to `CWE-89`. The flaw requires low privileges but may likewise enable unauthorized code or command execution, and carries a `CVSS 3.1` vector of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. The issues are tracked in Fortinet advisories **FG-IR-26-100** and **FG-IR-26-119**, respectively, expanding the vendor's latest set of appliance security fixes.
2 weeks ago
Multiple Critical Vulnerabilities Disclosed in Fortinet FortiSandbox and FortiWeb Products
Fortinet has addressed several critical vulnerabilities affecting its FortiSandbox and FortiWeb products, with public advisories and technical details released on December 16, 2025. The most severe issues impact FortiSandbox, where multiple command injection vulnerabilities (CVE-2025-53949) allow authenticated attackers to execute arbitrary code as root via the `admindel_confirm`, `name`, and `upload_vdi_file` parameters. Additionally, a cross-site scripting vulnerability (CVE-2025-54353) in the `hcproxy` component could enable remote code execution with minimal user interaction. Fortinet has released patches for these flaws, and users are strongly advised to update affected systems immediately. For FortiWeb, a critical authentication bypass vulnerability (CVE-2025-64447) was disclosed, stemming from improper verification of cryptographic signatures in the `ApacheCookie_parse` method, allowing unauthenticated attackers to gain access. These disclosures follow recent reports of active exploitation of a separate FortiWeb vulnerability (CVE-2025-64446), which enables unauthenticated attackers to create rogue administrator accounts and fully compromise exposed devices. Organizations using FortiWeb and FortiSandbox should review the official advisories and apply the recommended mitigations to prevent exploitation.
1 months ago
Critical Fortinet FortiOS and FortiProxy Flaws Enable Remote Compromise
Fortinet disclosed multiple critical vulnerabilities in **FortiOS** and related products, including an authentication bypass in **FortiOS** and **FortiProxy** that can grant attackers **super-admin privileges** and is being **actively exploited in the wild**. The flaw can be triggered through specially crafted requests to the **Node.js websocket module** and affects FortiOS `7.0.0` through `7.0.16`, FortiProxy `7.2.0` through `7.2.12`, and FortiProxy `7.0.0` through `7.0.19`. Organizations were told to upgrade to FortiOS `7.0.17+`, FortiProxy `7.2.13+`, or FortiProxy `7.0.20+`, and to apply Fortinet’s recommended mitigations immediately. Separate Fortinet advisories also warned of critical flaws **CVE-2024-21762** and **CVE-2024-23113**, affecting **FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager**. **CVE-2024-21762** carries a **CVSS 9.6** rating, while **CVE-2024-23113** is rated **CVSS 9.8**; both require urgent patching to fixed versions identified by Fortinet. Fortinet and national cyber authorities said defenders should prioritize upgrades across exposed appliances, and for `CVE-2024-21762`, disabling the **SSL VPN** feature can reduce exposure until patches are applied.
1 weeks ago