CVE-2026-26083

CRITICAL

FortiSandbox and FortiSandbox Cloud - Unauthenticated Remote Code Execution via HTTP Requests

Title source: llm

Description

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

References (1)

Core 1

Core References

https://fortiguard.fortinet.com/psirt/FG-IR-26-136

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 20.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-862

Status published

Products (20)

Fortinet/FortiSandbox 4.2.1 - 4.2.8

Fortinet/FortiSandbox 4.4.0 - 4.4.8

fortinet/fortisandbox 4.4.0 - 4.4.9

Fortinet/FortiSandbox 5.0.0 - 5.0.1

Fortinet/FortiSandbox Cloud 4.4.5 - 4.4.8

Fortinet/FortiSandbox Cloud 5.0.0 - 5.0.1

Fortinet/FortiSandbox PaaS 21.3.4055

Fortinet/FortiSandbox PaaS 21.4.4072

Fortinet/FortiSandbox PaaS 22.1.4113

Fortinet/FortiSandbox PaaS 22.2.4134

... and 10 more

Published May 12, 2026

Tracked Since May 12, 2026