Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow attacker to denial of service via <insert attack vector here>
AnalysisAI
Denial of service in Fortinet FortiWeb 7.0-8.0.3 via integer overflow allows authenticated remote attackers with high privileges to crash the application, resulting in service unavailability. The vulnerability has a CVSS score of 4.9 (Medium) and affects multiple FortiWeb versions across a wide range. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
Fortinet FortiWeb is a web application firewall (WAF) product that protects web applications from attacks. The vulnerability is rooted in an integer overflow or wraparound condition (CWE-190), a class of weakness where arithmetic operations on integers fail to account for the possibility of overflow, causing unexpected behavior or resource exhaustion. The affected product is identified by CPE cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:* across versions 7.0 through 8.0.3. This type of vulnerability typically occurs in memory allocation, buffer handling, or packet processing routines where integer values are used to determine resource sizes or loop bounds without proper validation.
RemediationAI
Upgrade FortiWeb to a patched version beyond the affected ranges: FortiWeb 7.0 users should upgrade to version 7.0.13 or later, FortiWeb 7.2 users to 7.2.13 or later, FortiWeb 7.4 users to 7.4.13 or later, FortiWeb 7.6 users to 7.6.7 or later, and FortiWeb 8.0 users to 8.0.4 or later. Consult the Fortinet PSIRT advisory (https://fortiguard.fortinet.com/psirt/FG-IR-26-108) for the exact patched versions available for your deployment. As a compensating control pending patching, restrict administrative access to FortiWeb to trusted users and monitor administrative activity for anomalies that could indicate exploitation.
Fortinet FortiWeb contains a relative path traversal allowing unauthenticated attackers to execute administrative comman
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Fortinet FortiWeb contains an authenticated OS command injection allowing privilege escalation to execute unauthorized c
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0
Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9
A product has a SQL injection vulnerability enabling unauthenticated database compromise through improperly neutralized
Remote code execution in Fortinet FortiClientEMS versions 7.4.5 through 7.4.6 allows unauthenticated attackers to execut
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in
Fortinet FortiAnalyzer and FortiManager contain a critical authentication bypass vulnerability (CVE-2026-24858, CVSS 9.8
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
The Gzip file parser in AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5
The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22340
GHSA-vf2h-7fg9-fhfj