CVE-2026-39808EXPLOITEDPATCHED

Fortinet · FortiSandbox

CVE-2026-39808: A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet F

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>

Affected Products

Vendor	Product	Versions
Fortinet	FortiSandbox	4.4.0, 23.4.4374, 23.4.4350, 23.3.4329, 23.1.4245, 22.2.4151, 22.2.4134, 22.1.4113, 21.4.4072, 21.3.4055

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
fortinet	fortisandbox paas	mitre_affected	90%

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-100

Related News (2 articles)

Tier C

VulDB6h ago

CVE-2026-39808 | Fortinet FortiSandbox/FortiSandbox PaaS up to 4.4.8 os command injection (FG-IR-26-100)

→ No new info (linked only)

Tier A

Fortinet PSIRT15h ago

OS Command Injection through API endpoint

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

4.4.9

CWECWE-78

PublishedApr 14, 2026

Last enriched5h agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-21643EXPKEV

CVE-2026-21643: An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiC

Trending: 152

CRITICALCVE-2026-35616EXPKEV

CVE-2026-35616: A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated atta

Trending: 131

CRITICALCVE-2026-39813EXP

CVE-2026-39813: A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.

Trending: 74

HIGHCVE-2026-22828EXP

CVE-2026-22828: A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2

Trending: 62

HIGHCVE-2026-39815EXP

CVE-2026-39815: A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDD

Trending: 62

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: affectedVersions, exploitAvailable, activelyExploited, patchAvailable

Apr 14, 2026

Updated: tags

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Exploit Available

Apr 14, 2026

Patch Available

Apr 14, 2026

Version History

Last enriched 5h ago

v3Tier C5h ago

Updated description with new details and added tag for FortiSandbox PaaS.