"CVE-2026-39813 impacts the FortiSandbox JRPC API and could allow attackers to bypass authentication. The second critical flaw, CVE-2026-39808, is an OS command injection issue that can be exploited for arbitrary code or command execution."
"Successful exploitation of CVE-2026-22828 would require a large amount of effort in preparation because of ASLR and network segmentation. This vulnerability could only be exploited if the attacker has already access to another cloud component belonging to the same entity."
"Fortinet also addressed two high-severity SQL injection bugs in FortiDDoS-F and FortiClientEMS that could be exploited via crafted requests to run arbitrary SQL queries on the database. Both flaws require authentication."
Fortinet issued 26 advisories addressing 27 vulnerabilities across its products, including two critical flaws in FortiSandbox. CVE-2026-39813 allows authentication bypass via the JRPC API, while CVE-2026-39808 is an OS command injection vulnerability enabling arbitrary code execution. Both have a CVSS score of 9.1. Additionally, a high-severity buffer overflow in FortiAnalyzer Cloud was patched, along with two high-severity SQL injection vulnerabilities in FortiDDoS-F and FortiClientEMS. Other medium- and low-severity issues were also addressed, but no exploitation in the wild has been reported.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]