CVE-2026-39813EXPLOITEDPATCHED

Fortinet · FortiSandbox

CVE-2026-39813: A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.

Description

A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via <insert attack vector here>

Affected Products

Vendor	Product	Versions
Fortinet	FortiSandbox	5.0.0, 4.4.0, 24.1, 23.4, 5.0.4

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
fortinet	fortisandbox cloud	mitre_affected	90%

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-112

Related News (2 articles)

Tier C

VulDB4h ago

CVE-2026-39813 | Fortinet FortiSandbox/FortiSandbox Cloud up to 4.4.8/5.0.5 /filedir path traversal (FG-IR-26-112)

→ No new info (linked only)

Tier A

Fortinet PSIRT14h ago

Unauthenticated Authentication bypass and Privilege escalation in FortiSandbox

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

5.0.6

CWECWE-24

PublishedApr 14, 2026

Last enriched5h agov2

Trending Score75

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-21643EXPKEV

CVE-2026-21643: An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiC

Trending: 153

CRITICALCVE-2026-35616EXPKEV

CVE-2026-35616: A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated atta

Trending: 132

CRITICALCVE-2026-39808EXP

CVE-2026-39808: A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet F

Trending: 75

HIGHCVE-2026-22828EXP

CVE-2026-22828: A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2

Trending: 62

HIGHCVE-2026-39815EXP

CVE-2026-39815: A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDD

Trending: 62

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: affectedVersions, patchAvailable, activelyExploited

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Patch Available

Apr 14, 2026

Version History

Last enriched 5h ago

v2Tier A5h ago

Updated affected versions to include 5.0.6 and 4.4.9, added patch available version 5.0.6, and marked the vulnerability as actively exploited.

affectedVersionspatchAvailableactivelyExploited

via Fortinet PSIRT

v15h ago

Initial creation