12
CVEs
1
Critical
3
High
0
KEV
0
PoC
4
Unpatched C/H
0.0%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
3
MEDIUM
8
LOW
0
Monthly CVE Trend
Affected Products (30)
Fortios
164
Fortiweb
83
Fortiproxy
72
Fortimanager
52
Forticlient
42
Fortianalyzer
37
Fortisandbox
23
Fortipam
19
Fortiwlm
19
Fortinet Antivirus
17
Fortimanager Cloud
17
Fortiportal
16
Fortiadc
16
Fortisiem
14
Fortimail
14
Fortimanager Firmware
14
Panda Antivirus
13
Fortiauthenticator
13
Fortivoice
12
Rising Antivirus
12
Fortianalyzer Firmware
11
Esafe
11
Fortianalyzer Cloud
10
Kaspersky Anti Virus
10
Fortiswitchmanager
10
Fortirecorder
9
Gateway
9
Fortiswitch
9
Fortisoar
9
Open Redirect
9
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-59835 | Exposure of a scanning VM's VNC service in Fortinet FortiSandbox 5.0.0-5.0.2 and 4.4.3-4.4.8 lets an unauthenticated remote attacker reach the VNC server of the sandbox virtual machines used for malware detonation via ordinary network requests. Because these VMs run and observe live malware samples, unauthorized VNC access can expose sensitive analysis sessions and potentially allow interaction with the detonation environment. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. | HIGH | 8.6 | 0.4% | 43 |
No patch
|
| CVE-2026-59841 | Privilege escalation in Fortinet FortiSIEM Windows Agent 7.4.0 through 7.4.1 stems from an improper restriction of the agent's communication channel (CWE-923), letting an adjacent-network attacker interact with an endpoint that should be limited to trusted parties and thereby gain elevated privileges with full confidentiality, integrity, and availability impact. The flaw was disclosed by Fortinet PSIRT (FG-IR-26-155) and carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is gated by high attack complexity, which materially reduces real-world likelihood despite the unauthenticated vector. | HIGH | 7.5 | 0.1% | 43 |
No patch
|
| CVE-2025-53379 | Information disclosure in Fortinet FortiAuthenticator (6.5 all versions and 6.6.0–6.6.2) lets a remote unauthenticated attacker read out-of-bounds memory via a specially crafted request, exposing sensitive in-memory data. The CVSS temporal metrics (E:F, RC:C) indicate a functional, confirmed exploit is understood by the vendor, and an official fix is available (RL:O). No CISA KEV listing is present, so this is not confirmed as actively exploited despite the mature exploit signal. | HIGH | 7.5 | 0.4% | 38 |
No patch
|
| CVE-2026-59836 | Improper TLS certificate validation in Fortinet FortiClientEMS (Endpoint Management Server) exposes sensitive information to network-positioned attackers across FortiClientEMS 7.2 (all listed builds up to 7.2.14), 7.4.0–7.4.1, and 7.4.3–7.4.5. Because the client fails to properly verify server certificates (CWE-295), an attacker able to intercept EMS communications can decrypt or observe protected traffic to disclose information. There is no public exploit identified at time of analysis and CISA SSVC scores exploitation as 'none', but Fortinet rates the flaw CVSS 9.8, so patching should be prioritized despite the lack of observed exploitation. | CRITICAL | 9.8 | 0.1% | 34 |
No patch
|
| CVE-2026-59837 | Stack-based buffer overflow in Fortinet FortiOS, FortiPAM, FortiProxy, and FortiSASE enables arbitrary code execution for a privileged authenticated attacker capable of bypassing ASLR and stack canary protections via crafted HTTP requests. The CVSS temporal metric E:P confirms proof-of-concept exploit code exists, and RL:O confirms an official patch has been released by Fortinet (advisory FG-IR-26-148). This vulnerability is not listed in CISA KEV at time of analysis, and the dual prerequisites of privileged access plus memory-protection bypass substantially constrain real-world exploitability despite the critical CIA impact triad. | MEDIUM | 6.6 | 0.6% | 33 |
No patch
|
| CVE-2026-23573 | Reflected or stored cross-site scripting in Fortinet FortiOS, FortiPAM, and FortiProxy web interfaces allows a remote unauthenticated attacker to execute JavaScript in the browser session of an authenticated administrator via crafted HTTP requests. The CVSS temporal metric E:P confirms publicly available proof-of-concept exploit code exists, and the RL:O metric confirms Fortinet has released an official fix. No active exploitation has been confirmed by CISA KEV at time of analysis, but the combination of a POC and the high-value targets (network security appliances and privileged access management systems) elevates real-world risk beyond what the base CVSS score of 6.1 suggests. | MEDIUM | 6.1 | 0.3% | 30 |
No patch
|
| CVE-2026-59839 | Path traversal (CWE-22) in Fortinet FortiOS, FortiProxy, and FortiPAM enables a highly-privileged, physically-present attacker to execute unauthorized code or commands by escaping restricted directory boundaries. The vendor-supplied CVSS vector (AV:P/PR:H) constrains exploitation to scenarios requiring both physical device access and high-level credentials, making opportunistic or remote mass exploitation implausible. A proof-of-concept exists per the CVSS temporal indicator (E:P), and Fortinet has released an official fix per PSIRT advisory FG-IR-26-151; this vulnerability is not currently listed in the CISA KEV catalog. | MEDIUM | 5.5 | 0.2% | 28 |
No patch
|
| CVE-2026-59838 | Stored or reflected cross-site scripting in Fortinet FortiSIEM's web interface enables a high-privileged authenticated attacker to inject malicious script tags that execute in the browsers of other users who view the affected page. The vulnerability spans a wide version range from FortiSIEM 6.4 through 7.4.0, affecting all deployments of this enterprise SIEM platform. No active exploitation has been confirmed by CISA KEV, and no public exploit code is identified at time of analysis; the PR:H requirement meaningfully constrains real-world attacker opportunity despite the scope change to the victim's browser context. | MEDIUM | 4.8 | – | 24 |
No patch
|
| CVE-2025-43892 | FortiOS across the 7.2, 7.4, and 7.6 release trains leaks portions of device runtime memory to authenticated remote attackers via a buffer over-read in redirect response handling. Exploitation requires valid credentials but no elevated privileges, and proof-of-concept code exists (CVSS temporal E:P). An official vendor fix is confirmed available (RL:O), though unpatched instances of FortiOS 7.2.x, 7.4.0-7.4.8, and 7.6.0-7.6.2 remain at risk of sensitive memory disclosure - a consequential exposure given that FortiOS processes session tokens, credentials, and cryptographic material at runtime. | MEDIUM | 4.3 | 0.3% | 22 |
No patch
|
| CVE-2025-62675 | HTTP Response Splitting in Fortinet FortiOS and FortiProxy enables an attacker who holds a valid web filter override token to inject arbitrary HTTP headers into server responses by tricking a user into clicking a crafted link. Affected versions span FortiOS 7.2 through 7.6.4 and FortiProxy 7.2 through 7.6.4. No active exploitation has been confirmed by CISA KEV, though the CVSS temporal vector includes E:P, indicating partial proof-of-concept evidence exists. Real-world impact is constrained by the requirement to possess a valid web filter override token and to achieve user interaction. | MEDIUM | 4.3 | 0.2% | 22 |
No patch
|
| CVE-2025-62826 | HTTP Response Splitting in Fortinet FortiOS and FortiProxy captive portal authentication flows enables a man-in-the-middle attacker to inject arbitrary HTTP headers into intercepted authentication requests. Affected platforms span FortiOS 7.2-7.6.4 and FortiProxy 7.2-7.6.4. The CVSS temporal vector includes E:P, confirming proof-of-concept exploit code exists; however, no active exploitation has been confirmed via CISA KEV. The RL:O temporal indicator confirms an official remediation is available per vendor advisory FG-IR-26-153. | MEDIUM | 4.3 | 0.3% | 22 |
No patch
|
| CVE-2026-59840 | Buffer over-read in Fortinet FortiOS and FortiProxy exposes sensitive memory contents to authenticated network attackers across multiple product lines including FortiPAM and FortiSwitchManager. The flaw, rooted in CWE-126 (buffer over-read), allows low-privileged remote users to read beyond allocated buffer boundaries, resulting in partial information disclosure with no integrity or availability impact. No active exploitation confirmed in CISA KEV, but the CVSS temporal vector includes E:P indicating proof-of-concept exploit code exists, and an official fix is available per RL:O. | MEDIUM | 4.3 | 0.2% | 22 |
No patch
|