CVE-2026-39808

CRITICAL EXPLOITED NUCLEI

FortiSandbox 4.4.0-4.4.8 - OS Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-39808 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including adminlove520, ynsmroztas, XZ1r0. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository provides a functional PoC for CVE-2026-39808, demonstrating an unauthenticated RCE vulnerability in Fortinet FortiSandbox via command injection in the `jid` parameter of the `/fortisandbox/job-detail/tracer-behavior` endpoint. The exploit uses a simple curl command to inject OS commands via the pipe symbol.

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>

Exploits (6)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-39808

The repository provides a functional PoC for CVE-2026-39808, demonstrating an unauthenticated RCE vulnerability in Fortinet FortiSandbox via command injection in the `jid` parameter of the `/fortisandbox/job-detail/tracer-behavior` endpoint. The exploit uses a simple curl command to inject OS commands via the pipe symbol.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Fortinet FortiSandbox versions 4.4.0 through 4.4.8
No auth needed
Prerequisites: network access to the target FortiSandbox instance
devstral-2 · analyzed May 08, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ynsmroztas · poc
https://github.com/ynsmroztas/FortiSandbox-RCE-Exploit-CVE-2026-39808

This repository contains a functional Python exploit for CVE-2026-39808, an unauthenticated OS command injection vulnerability in Fortinet FortiSandbox. The exploit leverages the `/fortisandbox/job-detail/tracer-behavior` endpoint with an unsanitized `jid` parameter to execute arbitrary commands as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Fortinet FortiSandbox < 4.4.9
No auth needed
Prerequisites: Network access to the target FortiSandbox instance
devstral-2 · analyzed Apr 22, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-39808

The repository provides a functional PoC for CVE-2026-39808, an unauthenticated RCE vulnerability in FortiSandbox. The exploit leverages command injection via the `jid` parameter in the `/fortisandbox/job-detail/tracer-behavior` endpoint using the pipe symbol (`|`).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FortiSandbox versions 4.4.0 through 4.4.8
No auth needed
Prerequisites: network access to the target FortiSandbox instance
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by 0xBlackash · remote
https://github.com/0xBlackash/CVE-2026-39808

This repository contains a functional exploit PoC for CVE-2026-39808, demonstrating an unauthenticated OS command injection vulnerability in Fortinet FortiSandbox. The exploit chains CVE-2026-39813 (authentication bypass) with CVE-2026-39808 (command injection) to achieve root-level remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiSandbox 4.4.0 - 4.4.8, 5.0.0 - 5.0.5
No auth needed
Prerequisites: Network access to the target FortiSandbox instance
devstral-2 · analyzed Apr 18, 2026 Full analysis →
nomisec WORKING POC
by samu-delucas · remote
https://github.com/samu-delucas/CVE-2026-39808

The repository provides a functional proof-of-concept for CVE-2026-39808, demonstrating an unauthenticated command injection vulnerability in Fortinet's FortiSandbox via the `jid` parameter in the `/fortisandbox/job-detail/tracer-behavior` endpoint. The PoC uses a simple curl command to achieve remote code execution as root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Fortinet FortiSandbox versions 4.4.0 through 4.4.8
No auth needed
Prerequisites: network access to the target FortiSandbox instance
devstral-2 · analyzed Apr 16, 2026 Full analysis →
nomisec SUSPICIOUS
by Lechansky · poc
https://github.com/Lechansky/CVE-2026-39808

The repository claims to provide an exploit for CVE-2026-39808 but only contains a README with vague details and external download links. No actual exploit code is present, and the focus is on directing users to external sources.

Classification
Suspicious 95%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: Fortinet FortiSandbox versions 4.4.0 through 4.4.8
No auth needed
Prerequisites: network access to target
devstral-2 · analyzed Apr 15, 2026 Full analysis →

Nuclei Templates (1)

Fortinet FortiSandbox - Command Injection
CRITICALVERIFIEDby DhiyaneshDk
Shodan: http.title:"FortiSandbox"
FOFA: title="FortiSandbox"

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.1668
EPSS Percentile 95.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-06-09
CWE
CWE-78
Status published
Products (11)
Fortinet/FortiSandbox 4.4.0 - 4.4.8
fortinet/fortisandbox 4.4.0 - 4.4.9
Fortinet/FortiSandbox PaaS 21.3.4055
Fortinet/FortiSandbox PaaS 21.4.4072
Fortinet/FortiSandbox PaaS 22.1.4113
Fortinet/FortiSandbox PaaS 22.2.4134
Fortinet/FortiSandbox PaaS 22.2.4151
Fortinet/FortiSandbox PaaS 23.1.4245
Fortinet/FortiSandbox PaaS 23.3.4329
Fortinet/FortiSandbox PaaS 23.4.4350
... and 1 more
Published Apr 14, 2026
Tracked Since Apr 14, 2026