Fortinet published a sweeping security advisory on April 14, 2026, disclosing multiple vulnerabilities across its FortiSandbox platform. Two of the flaws are rated Critical with unauthenticated attack vectors, demanding immediate enterprise attention.
CVE-2026-39808 — OS Command Injection (Critical)
CVE-2026-39808 is a critical OS command injection vulnerability in Fortinet FortiSandbox versions 4.4.0 through 4.4.8, carrying a CVSS score of 9.8. The flaw stems from improper neutralization of special elements in OS commands (CWE-78/CWE-122), allowing an attacker to execute unauthorized commands on the affected system.
The vulnerability resides in the FortiSandbox API component and enables an unauthenticated attacker to execute arbitrary commands by sending specially crafted HTTP requests. With no authentication required and a network-based attack vector, this is a low-complexity, high-impact threat. Successful exploitation could result in full compromise of the sandboxing environment — the very system designed to analyze and contain malware.
The vulnerability was responsibly disclosed by Samuel de Lucas Maroto of KPMG Spain.
Affected versions: FortiSandbox 4.4.0 – 4.4.8 | FortiSandbox PaaS up to 23.4.4374
Fix: Upgrade to FortiSandbox 4.4.9 or later.
CVE-2026-39813 — Authentication Bypass via Path Traversal (Critical)
CVE-2026-39813 is a critical path traversal vulnerability (CVSS 9.8) affecting Fortinet FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8. The flaw uses the ../filedir traversal pattern, meaning the application fails to properly sanitize user-supplied input that includes directory traversal sequences, enabling attackers to manipulate file paths outside the intended directory structure.
The vulnerability affects the FortiSandbox JRPC API, allowing attackers to bypass login mechanisms and gain administrative privileges — potentially resulting in full internal compromise.
Affected versions: FortiSandbox 4.4.0 – 4.4.8 | 5.0.0 – 5.0.5
Fix: Upgrade to patched releases per Fortinet’s advisory.
Additional FortiSandbox Vulnerabilities (April 14, 2026 Batch)
CVE-2026-27316 — An insufficiently protected credentials flaw (CWE-522) in the FortiSandbox and FortiSandbox PaaS web GUI, specifically within the LDAP configuration page. Rated Low, this authenticated flaw affects FortiSandbox 5.0.1–5.0.5 and PaaS versions up to 23.4.4374, potentially exposing LDAP bind credentials to authenticated users with GUI access.
CVE-2026-25691 — A path traversal flaw in FortiSandbox’s vmimages delete feature, enabling arbitrary directory deletion by authenticated GUI users.
Earlier FortiSandbox CVEs (2026)
CVE-2026-25836 — An OS command injection vulnerability (CWE-78) affecting FortiSandbox Cloud version 5.0.4, allowing a privileged attacker with super-admin profile and CLI access to execute unauthorized commands via crafted HTTP requests. Though authentication is required, successful exploitation could lead to complete infrastructure compromise, data exfiltration, and lateral movement.
CVE-2026-21643 — A Cross-Site Scripting (XSS) vulnerability (CWE-79) in FortiSandbox that may allow an unauthenticated attacker to execute commands via crafted requests.
Patching Priority Order
- Immediate — CVE-2026-39808 and CVE-2026-39813 (Critical, unauthenticated, network-accessible)
- Urgent — CVE-2026-25836 (authenticated RCE on Cloud variant)
- Planned — CVE-2026-21643 (unauthenticated XSS), CVE-2026-27316, CVE-2026-25691
Administrators should apply all available updates immediately and use Fortinet’s Upgrade Path Tool to ensure stability before patching.
Very nice.