CVE-2026-25089

CRITICAL NVD

CVSS Score 9.8

Severity CRITICAL

Published Jun 09, 2026

Vendor unknown

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-141