Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
6 vulnerabilities found for fortisandbox_cloud by fortinet
CVE-2026-25836 (GCVE-0-2026-25836)
Vulnerability from nvd – Published: 2026-03-10 16:44 – Updated: 2026-03-11 03:56
VLAI?
Summary
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests.
Severity ?
CWE
- CWE-78 - Execute unauthorized code or commands
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | FortiSandbox Cloud |
Affected:
5.0.4
cpe:2.3:a:fortinet:fortisandboxcloud:5.0.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T03:56:56.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandboxcloud:5.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox Cloud",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "5.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of special elements used in an os command (\u0027os command injection\u0027) vulnerability in Fortinet FortiSandbox Cloud 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T16:44:06.991Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-096",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-096"
}
],
"solutions": [
{
"lang": "en",
"value": "Fortinet remediated this issue in FortiSandbox Cloud version 5.0.5 and hence customers do not need to perform any action."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2026-25836",
"datePublished": "2026-03-10T16:44:06.991Z",
"dateReserved": "2026-02-06T08:48:58.542Z",
"dateUpdated": "2026-03-11T03:56:56.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53679 (GCVE-0-2025-53679)
Vulnerability from nvd – Published: 2025-12-09 17:19 – Updated: 2026-02-26 16:56
VLAI?
Summary
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox Cloud 24.1, FortiSandbox Cloud 23 all versions allows a remote privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests.
Severity ?
CWE
- CWE-78 - Execute unauthorized code or commands
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Fortinet | FortiSandbox |
Affected:
5.0.0 , ≤ 5.0.2
(semver)
Affected: 4.4.0 , ≤ 4.4.7 (semver) Affected: 4.2.1 , ≤ 4.2.8 (semver) Affected: 4.0.0 , ≤ 4.0.6 (semver) cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53679",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T04:57:29.061841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:56:59.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "5.0.2",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.7",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.2.8",
"status": "affected",
"version": "4.2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandboxcloud:24.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandboxcloud:23.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox Cloud",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "24.1"
},
{
"status": "affected",
"version": "23.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox Cloud 24.1, FortiSandbox Cloud 23 all versions allows a remote privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T12:52:34.446Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-25-454",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-454"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to FortiSandbox version 5.0.3 or above\nUpgrade to FortiSandbox version 4.4.8 or above\nFortinet remediated this issue in FortiSandbox Cloud version 24.2 (not released) and hence customers do not need to perform any action."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2025-53679",
"datePublished": "2025-12-09T17:19:51.110Z",
"dateReserved": "2025-07-08T09:23:05.010Z",
"dateUpdated": "2026-02-26T16:56:59.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-54026 (GCVE-0-2024-54026)
Vulnerability from nvd – Published: 2025-03-11 14:54 – Updated: 2026-01-14 14:16
VLAI?
Summary
An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Severity ?
CWE
- CWE-89 - Execute unauthorized code or commands
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Fortinet | FortiSandbox |
Affected:
4.4.0 , ≤ 4.4.6
(semver)
Affected: 4.2.1 , ≤ 4.2.8 (semver) Affected: 4.0.0 , ≤ 4.0.6 (semver) Affected: 3.2.0 , ≤ 3.2.4 (semver) Affected: 3.1.0 , ≤ 3.1.5 (semver) Affected: 3.0.0 , ≤ 3.0.7 (semver) cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T16:02:30.152318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T16:05:02.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.2.8",
"status": "affected",
"version": "4.2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.2.4",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.1.5",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandboxcloud:24.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox Cloud",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "24.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of special elements used in an sql command (\u0027sql injection\u0027) in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T14:16:03.420Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-24-353",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-353"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to FortiSandbox version 5.0.1 or above\nUpgrade to FortiSandbox version 4.4.7 or above\nFortinet remediated this issue in FortiSandbox Cloud version 24.2 (not released) and hence customers do not need to perform any action."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2024-54026",
"datePublished": "2025-03-11T14:54:38.660Z",
"dateReserved": "2024-11-27T15:20:39.891Z",
"dateUpdated": "2026-01-14T14:16:03.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25836 (GCVE-0-2026-25836)
Vulnerability from cvelistv5 – Published: 2026-03-10 16:44 – Updated: 2026-03-11 03:56
VLAI?
Summary
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests.
Severity ?
CWE
- CWE-78 - Execute unauthorized code or commands
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Fortinet | FortiSandbox Cloud |
Affected:
5.0.4
cpe:2.3:a:fortinet:fortisandboxcloud:5.0.4:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T03:56:56.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandboxcloud:5.0.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox Cloud",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "5.0.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of special elements used in an os command (\u0027os command injection\u0027) vulnerability in Fortinet FortiSandbox Cloud 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T16:44:06.991Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-096",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-096"
}
],
"solutions": [
{
"lang": "en",
"value": "Fortinet remediated this issue in FortiSandbox Cloud version 5.0.5 and hence customers do not need to perform any action."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2026-25836",
"datePublished": "2026-03-10T16:44:06.991Z",
"dateReserved": "2026-02-06T08:48:58.542Z",
"dateUpdated": "2026-03-11T03:56:56.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53679 (GCVE-0-2025-53679)
Vulnerability from cvelistv5 – Published: 2025-12-09 17:19 – Updated: 2026-02-26 16:56
VLAI?
Summary
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox Cloud 24.1, FortiSandbox Cloud 23 all versions allows a remote privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests.
Severity ?
CWE
- CWE-78 - Execute unauthorized code or commands
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Fortinet | FortiSandbox |
Affected:
5.0.0 , ≤ 5.0.2
(semver)
Affected: 4.4.0 , ≤ 4.4.7 (semver) Affected: 4.2.1 , ≤ 4.2.8 (semver) Affected: 4.0.0 , ≤ 4.0.6 (semver) cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53679",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T04:57:29.061841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:56:59.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "5.0.2",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.4.7",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.2.8",
"status": "affected",
"version": "4.2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandboxcloud:24.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandboxcloud:23.4:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox Cloud",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "24.1"
},
{
"status": "affected",
"version": "23.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027) vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox Cloud 24.1, FortiSandbox Cloud 23 all versions allows a remote privileged attacker to execute unauthorized code or commands via crafted HTTP or HTTPS requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T12:52:34.446Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-25-454",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-454"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to FortiSandbox version 5.0.3 or above\nUpgrade to FortiSandbox version 4.4.8 or above\nFortinet remediated this issue in FortiSandbox Cloud version 24.2 (not released) and hence customers do not need to perform any action."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2025-53679",
"datePublished": "2025-12-09T17:19:51.110Z",
"dateReserved": "2025-07-08T09:23:05.010Z",
"dateUpdated": "2026-02-26T16:56:59.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-54026 (GCVE-0-2024-54026)
Vulnerability from cvelistv5 – Published: 2025-03-11 14:54 – Updated: 2026-01-14 14:16
VLAI?
Summary
An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Severity ?
CWE
- CWE-89 - Execute unauthorized code or commands
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Fortinet | FortiSandbox |
Affected:
4.4.0 , ≤ 4.4.6
(semver)
Affected: 4.2.1 , ≤ 4.2.8 (semver) Affected: 4.0.0 , ≤ 4.0.6 (semver) Affected: 3.2.0 , ≤ 3.2.4 (semver) Affected: 3.1.0 , ≤ 3.1.5 (semver) Affected: 3.0.0 , ≤ 3.0.7 (semver) cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:4.0.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.7:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.6:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.5:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.2:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.1:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortisandbox:3.0.0:*:*:*:*:*:*:* |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-11T16:02:30.152318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T16:05:02.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:4.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.7:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.6:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.5:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.2:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.1:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortisandbox:3.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "4.4.6",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.2.8",
"status": "affected",
"version": "4.2.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.0.6",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.2.4",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.1.5",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:fortinet:fortisandboxcloud:24.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiSandbox Cloud",
"vendor": "Fortinet",
"versions": [
{
"status": "affected",
"version": "24.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An improper neutralization of special elements used in an sql command (\u0027sql injection\u0027) in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Execute unauthorized code or commands",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T14:16:03.420Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-24-353",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-353"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to FortiSandbox version 5.0.1 or above\nUpgrade to FortiSandbox version 4.4.7 or above\nFortinet remediated this issue in FortiSandbox Cloud version 24.2 (not released) and hence customers do not need to perform any action."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2024-54026",
"datePublished": "2025-03-11T14:54:38.660Z",
"dateReserved": "2024-11-27T15:20:39.891Z",
"dateUpdated": "2026-01-14T14:16:03.420Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}