"CVE-2026-39808 is an OS command injection flaw in FortiSandbox that allows unauthenticated attackers to execute unauthorized code or commands via HTTP requests. It received a critical, 9.1 CVSS rating, and it affects versions 4.4.0 through 4.4.8."
"The second flaw, CVE-2026-39813, is a path traversal bug in the FortiSandbox JRPC API that allows an authentication bypass using specially crafted HTTP requests. It also earned a 9.1 CVSS rating and affects FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5."
"These security updates arrive about a week after Fortinet released an emergency patch for CVE-2026-35616, a critical FortiClient Enterprise Management Server (EMS) bug believed to be under attack since at least March 31."
Fortinet has identified two critical vulnerabilities in its FortiSandbox that could be exploited by unauthenticated attackers. CVE-2026-39808 is an OS command injection flaw allowing unauthorized code execution, while CVE-2026-39813 is a path traversal bug enabling authentication bypass. Both vulnerabilities received a critical CVSS rating of 9.1 and affect specific versions of FortiSandbox. Fortinet has issued patches, and security researchers have developed scanners to identify vulnerable instances. These updates follow a recent emergency patch for another critical bug in FortiClient EMS.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]