Fortinet Discloses Critical Command Injection and SQL Injection Flaws
Fortinet disclosed two high-severity vulnerabilities affecting FortiSandbox and FortiDDoS-F, both of which could allow unauthorized code or command execution. CVE-2026-39808 is an OS command injection flaw in FortiSandbox versions 4.4.0 through 4.4.8, mapped to CWE-78, with a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitation without authentication and high impact across confidentiality, integrity, and availability.
Fortinet also disclosed CVE-2026-39815, an SQL injection vulnerability in FortiDDoS-F versions 7.2.1 through 7.2.2, mapped to CWE-89. The flaw requires low privileges but may likewise enable unauthorized code or command execution, and carries a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issues are tracked in Fortinet advisories FG-IR-26-100 and FG-IR-26-119, respectively, expanding the vendor's latest set of appliance security fixes.
Timeline
Apr 14, 2026
Fortinet discloses CVE-2026-39815 in FortiDDoS-F
Fortinet disclosed CVE-2026-39815, an SQL injection vulnerability affecting FortiDDoS-F versions 7.2.1 through 7.2.2. The flaw could allow unauthorized code or command execution and is referenced in advisory FG-IR-26-119.
Apr 14, 2026
Fortinet discloses CVE-2026-39808 in FortiSandbox
Fortinet disclosed CVE-2026-39808, an OS command injection flaw affecting FortiSandbox versions 4.4.0 through 4.4.8. The vulnerability could allow unauthorized code or command execution and is referenced in advisory FG-IR-26-100.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Critical FortiSandbox API Flaws Enable Unauthenticated Command Execution
Fortinet disclosed two critical vulnerabilities in **FortiSandbox** that allow remote, unauthenticated attackers to compromise exposed appliances through crafted HTTP requests. **`CVE-2026-39808`** is an OS command injection flaw in the FortiSandbox API that can lead to unauthorized command or code execution, while **`CVE-2026-39813`** is a path traversal issue in the JRPC API that can bypass authentication and enable privilege escalation. Both issues carry a **CVSS v3 score of 9.1**. The flaws affect **FortiSandbox 4.4.0 through 4.4.8**, and **`CVE-2026-39813`** also impacts **5.0.0 through 5.0.5**. Fortinet released fixes in **4.4.9** for both vulnerabilities and **5.0.6** for the JRPC issue, and said it had not observed exploitation in the wild at the time of disclosure. Organizations were urged to patch immediately, review internet-exposed deployments, and restrict API access to trusted networks until upgrades are completed.
2 weeks ago
Multiple Critical Vulnerabilities Disclosed in Fortinet FortiSandbox and FortiWeb Products
Fortinet has addressed several critical vulnerabilities affecting its FortiSandbox and FortiWeb products, with public advisories and technical details released on December 16, 2025. The most severe issues impact FortiSandbox, where multiple command injection vulnerabilities (CVE-2025-53949) allow authenticated attackers to execute arbitrary code as root via the `admindel_confirm`, `name`, and `upload_vdi_file` parameters. Additionally, a cross-site scripting vulnerability (CVE-2025-54353) in the `hcproxy` component could enable remote code execution with minimal user interaction. Fortinet has released patches for these flaws, and users are strongly advised to update affected systems immediately. For FortiWeb, a critical authentication bypass vulnerability (CVE-2025-64447) was disclosed, stemming from improper verification of cryptographic signatures in the `ApacheCookie_parse` method, allowing unauthenticated attackers to gain access. These disclosures follow recent reports of active exploitation of a separate FortiWeb vulnerability (CVE-2025-64446), which enables unauthenticated attackers to create rogue administrator accounts and fully compromise exposed devices. Organizations using FortiWeb and FortiSandbox should review the official advisories and apply the recommended mitigations to prevent exploitation.
1 months ago
Exploited Critical Fortinet Flaws Expose FortiWeb and FortiManager to Takeover
Fortinet disclosed two critical vulnerabilities affecting **FortiWeb** and **FortiManager**, both of which have been exploited in the wild and can lead to full device compromise. In FortiWeb, multiple versions are affected by an unauthenticated SQL injection flaw that lets attackers send crafted HTTP or HTTPS requests to execute unauthorized SQL commands, bypass access controls, read sensitive configuration and user data, alter or delete database records, and potentially escalate to complete system takeover. Fortinet advised customers to upgrade immediately to fixed releases or disable the HTTP/HTTPS management interface as a temporary workaround. In FortiManager, the critical flaw tracked as `CVE-2024-47575` allows unauthenticated remote code execution and remote command execution, with exploitation observed globally and against Finnish organizations. A successful attack can give intruders control of vulnerable FortiManager systems and expose connected device configuration data and passwords. Fortinet issued patches for most affected branches, while **FortiManager Cloud 6.4** has no fix and must be upgraded; the company also warned that if exploitation is suspected, patching alone is insufficient and organizations should perform a full incident investigation using Fortinet’s compromise-assessment guidance.
1 weeks ago