Skip to main content

Fortisandbox Paas

3 CVEs product

Monthly

CVE-2026-25089 CRITICAL POC KEV THREAT NEWS Emergency

Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections.

Fortinet Command Injection Fortisandbox Fortisandbox Cloud Fortisandbox Paas
NVD VulDB
CVSS 3.1
9.8
EPSS
2.0%
Threat
5.0
CVE-2026-26083 CRITICAL NEWS Act Now

Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge.

Authentication Bypass Fortinet Fortisandbox Cloud Fortisandbox Fortisandbox Paas
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-39808 CRITICAL POC KEV THREAT NEWS Emergency

OS command injection in Fortinet FortiSandbox 4.4.0-4.4.8 and FortiSandbox PaaS versions 21.3-23.4 enables remote unauthenticated attackers to execute arbitrary system commands with complete system compromise. CVSS 9.8 (network, low complexity, no privileges) but EPSS 0.29% (53rd percentile) suggests limited real-world exploitation observed despite maximum severity score. No active exploitation confirmed (not in CISA KEV). SSVC framework classifies as automatable with total technical impact but no known exploitation. Fortinet PSIRT advisory FG-IR-26-100 available but description incomplete (missing attack vector specifics).

Fortinet Command Injection Fortisandbox Fortisandbox Paas
NVD VulDB GitHub
CVSS 3.1
9.8
EPSS
0.3%
Threat
5.0
EPSS 2% 5.0 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. Because FortiSandbox is a security-analysis appliance handling untrusted samples, compromise undermines the integrity of malware verdicts and downstream detections.

Fortinet Command Injection Fortisandbox +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows unauthenticated attackers to execute arbitrary code or commands via crafted HTTP requests. This CWE-862 missing authorization flaw affects sandbox analysis appliances across multiple deployment models with CVSS 9.8 (critical) severity. Fortinet has published vendor advisory FG-IR-26-136. No CISA KEV listing or public POC identified at time of analysis, though the trivial attack complexity (AC:L) and network vector without authentication (PR:N) indicate high exploitability if technical details emerge.

Authentication Bypass Fortinet Fortisandbox Cloud +2
NVD
EPSS 0% 5.0 CVSS 9.8
CRITICAL POC KEV THREAT Emergency

OS command injection in Fortinet FortiSandbox 4.4.0-4.4.8 and FortiSandbox PaaS versions 21.3-23.4 enables remote unauthenticated attackers to execute arbitrary system commands with complete system compromise. CVSS 9.8 (network, low complexity, no privileges) but EPSS 0.29% (53rd percentile) suggests limited real-world exploitation observed despite maximum severity score. No active exploitation confirmed (not in CISA KEV). SSVC framework classifies as automatable with total technical impact but no known exploitation. Fortinet PSIRT advisory FG-IR-26-100 available but description incomplete (missing attack vector specifics).

Fortinet Command Injection Fortisandbox +1
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy