Skip to main content

Fortisandbox

35 CVEs product

Monthly

CVE-2026-59835 HIGH This Week

Exposure of a scanning VM's VNC service in Fortinet FortiSandbox 5.0.0-5.0.2 and 4.4.3-4.4.8 lets an unauthenticated remote attacker reach the VNC server of the sandbox virtual machines used for malware detonation via ordinary network requests. Because these VMs run and observe live malware samples, unauthorized VNC access can expose sensitive analysis sessions and potentially allow interaction with the detonation environment. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Fortinet Information Disclosure Fortisandbox
NVD
CVSS 3.1
8.6
EPSS
0.4%
CVE-2026-25089 CRITICAL POC KEV THREAT NEWS Emergency

Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections.

Fortinet Command Injection Fortisandbox Fortisandbox Cloud Fortisandbox Paas
NVD VulDB
CVSS 3.1
9.8
EPSS
2.0%
Threat
5.0
CVE-2026-26083 CRITICAL NEWS Act Now

Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge.

Authentication Bypass Fortinet Fortisandbox Cloud Fortisandbox Fortisandbox Paas
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-39813 CRITICAL POC NEWS Act Now

Path traversal in Fortinet FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 enables remote unauthenticated attackers to achieve full system compromise. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), the vulnerability permits network-based exploitation without credentials or user interaction, leading to complete confidentiality, integrity, and availability impact. Despite critical severity, EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC framework marks it as automatable with total technical impact but no current exploitation. The incomplete CVE description (placeholder text for attack vector) suggests early disclosure; verify completeness with Fortinet advisory FG-IR-26-112.

Privilege Escalation Fortinet Path Traversal Fortisandbox Fortisandbox Cloud
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-39808 CRITICAL POC KEV THREAT NEWS Emergency

OS command injection in Fortinet FortiSandbox 4.4.0-4.4.8 and FortiSandbox PaaS versions 21.3-23.4 enables remote unauthenticated attackers to execute arbitrary system commands with complete system compromise. CVSS 9.8 (network, low complexity, no privileges) but EPSS 0.29% (53rd percentile) suggests limited real-world exploitation observed despite maximum severity score. No active exploitation confirmed (not in CISA KEV). SSVC framework classifies as automatable with total technical impact but no known exploitation. Fortinet PSIRT advisory FG-IR-26-100 available but description incomplete (missing attack vector specifics).

Fortinet Command Injection Fortisandbox Fortisandbox Paas
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.3%
Threat
5.0
CVE-2025-53608 MEDIUM This Month

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated privileged attacker to execute code via crafted requests. [CVSS 4.8 MEDIUM]

Fortinet XSS Fortisandbox
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-52436 HIGH This Week

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. [CVSS 8.8 HIGH]

Fortinet XSS Fortisandbox
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-53679 HIGH This Week

Authenticated OS command injection in Fortinet FortiSandbox (versions 5.0.0-5.0.2, 4.4.0-4.4.7, all 4.2.x, all 4.0.x) and FortiSandbox Cloud (24.1 and all 23.x) allows a high-privileged remote attacker to execute arbitrary commands by sending crafted HTTP/HTTPS requests to the management interface. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV, but the breadth of affected major versions and the network-reachable attack surface make this a notable post-authentication risk for security appliance operators.

Command Injection Fortinet Fortisandbox Fortisandbox Cloud
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2025-46215 MEDIUM This Month

An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Information Disclosure Fortisandbox
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2021-26105 MEDIUM This Month

A stack-based buffer overflow vulnerability (CWE-121) in the profile parser of FortiSandbox version 3.2.2 and below, version 3.1.4 and below may allow an authenticated attacker to potentially execute. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Fortisandbox
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2024-54027 HIGH This Week

A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox version 4.4.6 and below, version 4.2.7 and below, version 4.0.5 and below, version 3.2.4 and below, version 3.1.5 and. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Fortisandbox
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2024-27781 HIGH This Week

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

XSS Fortinet Fortisandbox
NVD
CVSS 3.1
7.1
EPSS
7.5%
CVE-2024-27778 HIGH This Month

An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Fortinet Fortisandbox
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2024-31490 MEDIUM This Month

An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all versions, FortiSandbox. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Information Disclosure Fortisandbox
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-31491 HIGH This Week

A client-side enforcement of server-side security vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6 allows attacker to execute unauthorized code or commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Fortinet Fortisandbox
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2024-31487 MEDIUM This Month

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Fortinet Fortisandbox
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2024-23671 HIGH This Week

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Fortinet Fortisandbox
NVD
CVSS 3.1
8.1
EPSS
1.2%
CVE-2024-21756 HIGH This Week

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Command Injection Fortisandbox
NVD
CVSS 3.1
8.8
EPSS
2.2%
CVE-2024-21755 HIGH This Week

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Command Injection Fortisandbox
NVD
CVSS 3.1
8.8
EPSS
2.5%
CVE-2023-45587 MEDIUM This Month

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet XSS Fortisandbox
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-41844 MEDIUM This Month

A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet XSS Fortisandbox
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-41843 MEDIUM PATCH This Month

A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Fortinet XSS Fortisandbox
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-41836 MEDIUM PATCH This Month

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0, FortiSandbox 4.2.1 through 4.2.4, FortiSandbox 4.0 all versions,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Fortinet XSS Fortisandbox
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-41682 HIGH This Week

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Path Traversal Denial Of Service Fortisandbox
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-41681 MEDIUM PATCH This Month

A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Fortinet XSS Fortisandbox
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2023-41680 MEDIUM PATCH This Month

A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Fortinet XSS Fortisandbox
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-30305 HIGH PATCH This Week

An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Fortideceptor Fortisandbox
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2021-32591 MEDIUM PATCH This Month

A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

Fortinet Information Disclosure Fortiadc Fortimail Fortisandbox +1
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2021-24014 MEDIUM This Month

Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Fortisandbox
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-22124 HIGH This Week

An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Fortiauthenticator Fortisandbox
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-26096 HIGH This Week

Multiple instances of heap-based buffer overflow in the command shell of FortiSandbox before 4.0.0 may allow an authenticated attacker to manipulate memory and alter its content by means of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Memory Corruption Fortisandbox
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2021-26097 HIGH This Week

An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6 may allow an authenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Fortisandbox
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-24010 MEDIUM This Month

Improper limitation of a pathname to a restricted directory vulnerabilities in FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated user to obtain unauthorized access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Authentication Bypass Fortisandbox
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-26098 HIGH This Week

An instance of small space of random values in the RPC API of FortiSandbox before 4.0.0 may allow an attacker in possession of a few information pieces about the state of the device to possibly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Fortisandbox
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2021-22125 HIGH This Week

An instance of improper neutralization of special elements in the sniffer module of FortiSandbox before 3.2.2 may allow an authenticated administrator to execute commands on the underlying system's. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Fortisandbox
NVD
CVSS 3.1
7.2
EPSS
1.4%
EPSS 0% CVSS 8.6
HIGH This Week

Exposure of a scanning VM's VNC service in Fortinet FortiSandbox 5.0.0-5.0.2 and 4.4.3-4.4.8 lets an unauthenticated remote attacker reach the VNC server of the sandbox virtual machines used for malware detonation via ordinary network requests. Because these VMs run and observe live malware samples, unauthorized VNC access can expose sensitive analysis sessions and potentially allow interaction with the detonation environment. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Fortinet Information Disclosure Fortisandbox
NVD
EPSS 2% 5.0 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections.

Fortinet Command Injection Fortisandbox +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge.

Authentication Bypass Fortinet Fortisandbox Cloud +2
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Path traversal in Fortinet FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 enables remote unauthenticated attackers to achieve full system compromise. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), the vulnerability permits network-based exploitation without credentials or user interaction, leading to complete confidentiality, integrity, and availability impact. Despite critical severity, EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). SSVC framework marks it as automatable with total technical impact but no current exploitation. The incomplete CVE description (placeholder text for attack vector) suggests early disclosure; verify completeness with Fortinet advisory FG-IR-26-112.

Privilege Escalation Fortinet Path Traversal +2
NVD VulDB
EPSS 0% 5.0 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

OS command injection in Fortinet FortiSandbox 4.4.0-4.4.8 and FortiSandbox PaaS versions 21.3-23.4 enables remote unauthenticated attackers to execute arbitrary system commands with complete system compromise. CVSS 9.8 (network, low complexity, no privileges) but EPSS 0.29% (53rd percentile) suggests limited real-world exploitation observed despite maximum severity score. No active exploitation confirmed (not in CISA KEV). SSVC framework classifies as automatable with total technical impact but no known exploitation. Fortinet PSIRT advisory FG-IR-26-100 available but description incomplete (missing attack vector specifics).

Fortinet Command Injection Fortisandbox +1
NVD VulDB GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated privileged attacker to execute code via crafted requests. [CVSS 4.8 MEDIUM]

Fortinet XSS Fortisandbox
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. [CVSS 8.8 HIGH]

Fortinet XSS Fortisandbox
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Authenticated OS command injection in Fortinet FortiSandbox (versions 5.0.0-5.0.2, 4.4.0-4.4.7, all 4.2.x, all 4.0.x) and FortiSandbox Cloud (24.1 and all 23.x) allows a high-privileged remote attacker to execute arbitrary commands by sending crafted HTTP/HTTPS requests to the management interface. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV, but the breadth of affected major versions and the network-reachable attack surface make this a notable post-authentication risk for security appliance operators.

Command Injection Fortinet Fortisandbox +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Information Disclosure Fortisandbox
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

A stack-based buffer overflow vulnerability (CWE-121) in the profile parser of FortiSandbox version 3.2.2 and below, version 3.1.4 and below may allow an authenticated attacker to potentially execute. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Buffer Overflow Fortisandbox
NVD
EPSS 0% CVSS 8.2
HIGH This Week

A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox version 4.4.6 and below, version 4.2.7 and below, version 4.0.5 and below, version 3.2.4 and below, version 3.1.5 and. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Fortisandbox
NVD
EPSS 8% CVSS 7.1
HIGH This Week

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

XSS Fortinet Fortisandbox
NVD
EPSS 1% CVSS 8.8
HIGH This Month

An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Fortinet Fortisandbox
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all versions, FortiSandbox. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Information Disclosure Fortisandbox
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A client-side enforcement of server-side security vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6 allows attacker to execute unauthorized code or commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Fortinet Fortisandbox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Information Disclosure Fortinet +1
NVD
EPSS 1% CVSS 8.1
HIGH This Week

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Fortinet Fortisandbox
NVD
EPSS 2% CVSS 8.8
HIGH This Week

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Command Injection Fortisandbox
NVD
EPSS 2% CVSS 8.8
HIGH This Week

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet Command Injection Fortisandbox
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet XSS Fortisandbox
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.2, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Fortinet XSS Fortisandbox
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Fortinet XSS Fortisandbox
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0, FortiSandbox 4.2.1 through 4.2.4, FortiSandbox 4.0 all versions,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Fortinet XSS Fortisandbox
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Fortinet Path Traversal Denial Of Service +1
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Fortinet XSS Fortisandbox
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.1, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Fortinet XSS Fortisandbox
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Fortideceptor Fortisandbox
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1, FortiWeb before 6.3.12, FortiADC before 6.2.1, FortiMail. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable.

Fortinet Information Disclosure Fortiadc +3
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Fortisandbox
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An uncontrolled resource consumption (denial of service) vulnerability in the login modules of FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6; and FortiAuthenticator. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Fortiauthenticator Fortisandbox
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Multiple instances of heap-based buffer overflow in the command shell of FortiSandbox before 4.0.0 may allow an authenticated attacker to manipulate memory and alter its content by means of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Memory Corruption Fortisandbox
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox 3.2.0 through 3.2.2, 3.1.0 through 3.1.4, and 3.0.0 through 3.0.6 may allow an authenticated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Fortisandbox
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Improper limitation of a pathname to a restricted directory vulnerabilities in FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated user to obtain unauthorized access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Authentication Bypass Fortisandbox
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An instance of small space of random values in the RPC API of FortiSandbox before 4.0.0 may allow an attacker in possession of a few information pieces about the state of the device to possibly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Fortisandbox
NVD
EPSS 1% CVSS 7.2
HIGH This Week

An instance of improper neutralization of special elements in the sniffer module of FortiSandbox before 3.2.2 may allow an authenticated administrator to execute commands on the underlying system's. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Fortisandbox
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy