CVE-2025-31366

CWE-79 — Cross-site Scripting (XSS)CWE-601 — Open Redirect4 documents4 sources

Severity

6.1MEDIUM

EPSS

0.0%

top 93.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy Fortinet Fortisase

Timeline

PublishedOct 14

Description

An Improper Neutralization of Input During Web Page Generation vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSASE 25.2.a may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) via crafted HTTP requests.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7

Affected Packages6 packages

▶NVDfortinet/fortios6.4.0 — 7.4.9+1

▶CVEListV5fortinet/fortios7.6.0 — 7.6.2+4

▶NVDfortinet/fortiproxy7.0.0 — 7.6.4

▶CVEListV5fortinet/fortiproxy7.6.0 — 7.6.3+3

▶CVEListV5fortinet/fortisase25.2.a

🔴Vulnerability Details

CVEList

CVE-2025-31366: An Improper Neutralization of Input During Web Page Generation vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7↗2025-10-14

▶

GHSA

GHSA-8mjg-h7v2-89h4: An Improper Neutralization of Input During Web Page Generation vulnerability [CWE-79] in FortiOS 7↗2025-10-14

▶

📋Vendor Advisories

Fortinet

Open Redirect and XSS in Web Filter warning page↗2025-10-14

▶