CVE-2025-54972

MEDIUM

Fortinet FortiMail <7.6.3 - Crlf Injection

Title source: llm

Description

An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2 all versions, FortiMail 7.0 all versions may allow an attacker to inject headers in the response via convincing a user to click on a specifically crafted link

References (1)

Scores

CVSS v3 4.3
EPSS 0.0004
EPSS Percentile 13.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Classification

CWE
CWE-93
Status published

Affected Products (1)

fortinet/fortimail < 7.4.6

Timeline

Published Nov 18, 2025
Tracked Since Feb 18, 2026