CVE-2026-39808KEVEXPLOITEDPATCHED

fortinet · fortisandbox

CVE-2026-39808: A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet F

Description

CVE-2026-39808 is an OS command injection flaw that can be exploited to execute arbitrary code or commands.

Affected Products

Vendor	Product	Versions
fortinet	fortisandbox	4.4.0, 23.4.4374, 23.4.4350, 23.3.4329, 23.1.4245, 22.2.4151, 22.2.4134, 22.1.4113, 21.4.4072, 21.3.4055

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
fortinet	fortisandbox paas	mitre_affected	90%

References

Related News (10 articles)

Tier D

Heise Security2h ago

Angriffe auf FortiSandbox-Schwachstellen

→ No new info (linked only)

Tier D

SecurityWeek7h ago

3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs

→ No new info (linked only)

Tier D

The Hacker News58d ago

⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More

→ No new info (linked only)

Tier D

Help Net Security59d ago

Week in review: Acrobat Reader flaw exploited, Claude Mythos offensive capabilities and limits

→ No new info (linked only)

Tier D

Help Net Security62d ago

Fortinet fixes critical FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808)

→ No new info (linked only)

Tier D

SecurityWeek63d ago

Fortinet Patches Critical FortiSandbox Vulnerabilities

→ No new info (linked only)

Tier D

Heise Security63d ago

Fortinet stopft 18 Sicherheitslecks

→ No new info (linked only)

Tier B

CERT-FR63d ago

Multiples vulnérabilités dans les produits Fortinet (15 avril 2026)

→ No new info (linked only)

Tier C

VulDB63d ago

CVE-2026-39808 | Fortinet FortiSandbox/FortiSandbox PaaS up to 4.4.8 os command injection (FG-IR-26-100)

→ No new info (linked only)

Tier A

Fortinet PSIRT64d ago

OS Command Injection through API endpoint

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CISA KEV✅ Yes

Actively exploited✅ Yes

Patch available

4.4.9

CWECWE-78

PublishedApr 14, 2026

Last enriched7h agov6

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-39813EXPKEV

CVE-2026-39813: A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.

Trending: 147

CRITICALCVE-2026-25089EXP

CVE-2026-25089: A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet F

Trending: 94

CRITICALCVE-2026-35616EXPKEV

CVE-2026-35616: A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated atta

Trending: 71

CRITICALCVE-2026-26083

CVE-2026-26083: A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, Fo

Trending: 66

MEDIUMCVE-2025-61624EXP

CVE-2025-61624: An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet For

Trending: 56

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Added to CISA KEV

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: affectedVersions, exploitAvailable, activelyExploited, patchAvailable

Apr 14, 2026

Updated: tags

Apr 14, 2026

Updated: affectedVersions

Apr 15, 2026

Updated: description, tags

Apr 16, 2026

Actively Exploited

Apr 22, 2026

Exploit Available

Apr 22, 2026

Patch Available

Apr 22, 2026

Updated: description

Jun 17, 2026

Version History

Last enriched 7h ago

v6Tier D7h ago

Updated description to clarify the nature of the vulnerability and confirmed severity as CRITICAL.

description

via SecurityWeek

v5Tier D62d ago

Updated description with details on unauthenticated access and exploitation via specially crafted HTTP requests, and added new relevant tags.

descriptiontags

via Help Net Security

v4Tier D63d ago

Updated affected versions to include 5.0.6 and provided a more detailed description of the vulnerability.

affectedVersions

via Heise Security

v3Tier C63d ago

Updated description with new details and added tag for FortiSandbox PaaS.