CRITICAL🇵🇱 Wersja polska

CVE-2026-39808

CVSS 9.8v3.1pub. 2026-04-14upd. 2026-04-22

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>

🤖 AI Analysis
How it works

The vulnerability results from improper neutralization of special characters used in operating system commands (CWE-78). An attacker can supply crafted input data, which is then passed to a system command interpreter without proper sanitization. This allows injection and execution of arbitrary OS commands in the context of the vulnerable application.

Impact

An unauthenticated attacker can remotely execute arbitrary system commands on the device, leading to complete breach of confidentiality, integrity, and availability of the system (RCE).

Mitigation & patch

Apply patches available from the vendor according to the references (https://fortiguard.fortinet.com/psirt/FG-IR-26-100). Until the update is applied, it is recommended to restrict network access to the FortiSandbox management interface exclusively to trusted hosts.

Who is affected

Fortinet FortiSandbox versions 4.4.0 through 4.4.8 inclusive

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fortinet Fortisandbox

    APP
    Fortinet
    4.4.0 – 4.4.9
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2026-25089CRITICAL9.8PL ✓ten sam produkt

Command injection w Fortinet FortiSandbox — dostęp bez uwierzytelnienia

CVE-2026-26083CRITICAL9.8PL ✓ten sam produkt

Brak autoryzacji w Fortinet FortiSandbox umożliwia zdalne wykonanie kodu

CVE-2026-39813CRITICAL9.8ten sam produkt

A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 ...

CVE-2025-52436HIGH8.8ten sam produkt

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79]...

CVE-2025-53949HIGH7.2ten sam produkt

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [C...