Zero Day MonitorZDM

← Back to list

EST

PRE-CVE

fortinet

Multiple Critical Vulnerabilities in Fortinet Products Including OS Command Injection, Authentication Bypass, Privilege Escalation, Heap-based Buffer Overflow, and SQL Injection

72% confidence

Description

Fortinet disclosed multiple critical vulnerabilities affecting various products including OS command injection via API endpoint, unauthenticated authentication bypass and privilege escalation in FortiSandbox, heap-based buffer overflow in the oftpd daemon, and SQL injection via API. Affected products include FortiSandbox versions 4.4.0 to 4.4.8 and 5.0.0 to 5.0.5, FortiAnalyzer Cloud versions 7.6.2 to 7.6.4, FortiManager Cloud versions 7.6.2 to 7.6.4, and FortiDDoS-F versions 7.2.1 to 7.2.2.

Affected Products

Vendor	Product	Versions
fortinet	—	FortiSandbox 4.4.0 - 4.4.8, FortiSandbox 5.0.0 - 5.0.5, FortiAnalyzer Cloud 7.6.2 - 7.6.4, FortiManager Cloud 7.6.2 - 7.6.4, FortiDDoS-F 7.2.1 - 7.2.2

Related News (1 articles)

Tier B

CCCS Canada3h ago

Fortinet security advisory (AV26-351)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

CWECWE-77, CWE-287, CWE-269, CWE-122, CWE-89

PublishedApr 14, 2026

Last enriched3h ago

Tags

os command injectionauthentication bypassprivilege escalationheap-based buffer overflowsql injectionfortinetcritical vulnerability

Trending Score30

Source articles1

Independent1

Info Completeness6/14

Missing: cve_id, product, cvss, epss, kev, exploit, patch, iocs

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-21643EXPKEV

CVE-2026-21643: An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiC

CRITICALCVE-2026-35616EXPKEV

CVE-2026-35616: A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated atta

CRITICALCVE-2026-39808EXP

CVE-2026-39808: A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet F

CRITICALCVE-2026-39813EXP

CVE-2026-39813: A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.

HIGHCVE-2026-22828EXP

CVE-2026-22828: A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2

Pin to Dashboard

Verification

State: reported

Confidence: 72%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026