← back
CVE-2026-25089

CVE-2026-25089

CVSS 9.1 CRITICALEPSS 23.4%CWE-78
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Affected products
Fortinet · FortiSandboxFortinet · FortiSandbox CloudFortinet · FortiSandbox PaaS
public PoCs found2
githubgithub.com/HORKimhab/CVE-2026-250895githubgithub.com/0xBlackash/CVE-2026-250892
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://fortiguard.fortinet.com/psirt/FG-IR-26-141