Summary
On April 14, 2026, Fortinet published a series of PSIRT security advisories covering four vulnerabilities affecting FortiSandbox, FortiDDoS-F, and FortiAnalyzer Cloud. Two of these are classified as critical (CVSS 9.1), and two as high (CVSS 7.3–7.9).
These vulnerabilities could allow attackers to execute arbitrary code, bypass authentication, escalate privileges, and manipulate data.
CVE-2026-39808 – OS Command Injection in FortiSandbox (Critical)
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-39808 |
| Advisory | FG-IR-26-100 |
| Severity | Critical |
| CVSS Score | 9.1 |
| CWE | CWE-78 (OS Command Injection) |
| Attack Vector | Network, unauthenticated |
Description
Improper neutralization of special elements used in OS commands in FortiSandbox API endpoints allows an unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| FortiSandbox 4.4 | 4.4.0 – 4.4.8 | 4.4.9 or later |
FortiSandbox 5.0 and FortiSandbox PaaS 5.0 are not affected.
CVE-2026-39813 – Authentication Bypass and Privilege Escalation in FortiSandbox (Critical)
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-39813 |
| Advisory | FG-IR-26-112 |
| Severity | Critical |
| CVSS Score | 9.1 |
| CWE | CWE-24 (Path Traversal) |
| Attack Vector | Network, unauthenticated |
Description
A path traversal vulnerability in the FortiSandbox JRPC API allows an unauthenticated attacker to bypass authentication and achieve privilege escalation through crafted HTTP requests.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| FortiSandbox 5.0 | 5.0.0 – 5.0.5 | 5.0.6 or later |
| FortiSandbox 4.4 | 4.4.0 – 4.4.8 | 4.4.9 or later |
CVE-2026-39815 – SQL Injection in FortiDDoS-F (High)
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-39815 |
| Advisory | FG-IR-26-119 |
| Severity | High |
| CVSS Score | 7.9 |
| CWE | CWE-89 (SQL Injection) |
| Attack Vector | Network, authenticated |
Description
An SQL injection vulnerability in the FortiDDoS-F API allows an authenticated attacker to execute arbitrary SQL queries on the database via crafted HTTP requests, potentially leading to data manipulation and unauthorized code execution.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| FortiDDoS-F 7.2 | 7.2.1 – 7.2.2 | 7.2.3 or later |
FortiDDoS-F versions 7.0, 6.6, 6.5, 6.4, and 6.3 are not affected.
CVE-2026-22828 – Heap-based Buffer Overflow in FortiAnalyzer Cloud (High)
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-22828 |
| Advisory | FG-IR-26-121 |
| Severity | High |
| CVSS Score | 7.3 |
| CWE | CWE-122 (Heap-based Buffer Overflow) |
| Attack Vector | Network, unauthenticated (high complexity) |
Description
A heap-based buffer overflow in the oftpd daemon allows a remote unauthenticated attacker to execute arbitrary code via specifically crafted requests. Exploitation complexity is elevated due to ASLR protections and requires access to another cloud component within the same entity.
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| FortiAnalyzer Cloud 7.6 | 7.6.2 – 7.6.4 | 7.6.5 or later |
| FortiManager Cloud 7.6 | 7.6.2 – 7.6.4 | 7.6.5 or later |
Recommended Actions
Administrators should promptly update affected products to the latest vendor-supported versions:
- FortiSandbox 4.4 → upgrade to 4.4.9 or later
- FortiSandbox 5.0 → upgrade to 5.0.6 or later
- FortiDDoS-F 7.2 → upgrade to 7.2.3 or later
- FortiAnalyzer Cloud 7.6 → upgrade to 7.6.5 or later
- FortiManager Cloud 7.6 → upgrade to 7.6.5 or later
Who Is Affected?
These vulnerabilities affect organizations using Fortinet products for network protection, threat analysis, and security management. Environments where FortiSandbox is accessible from external networks are at particular risk.
Sources
- Fortinet PSIRT - FG-IR-26-100 (CVE-2026-39808)
- Fortinet PSIRT - FG-IR-26-112 (CVE-2026-39813)
- Fortinet PSIRT - FG-IR-26-119 (CVE-2026-39815)
- Fortinet PSIRT - FG-IR-26-121 (CVE-2026-22828)
- NVD - CVE-2026-39808
- NVD - CVE-2026-39813
- NVD - CVE-2026-39815
- NVD - CVE-2026-22828
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
