cbcvebase.
CVE-2026-21643
published 2026-02-06

CVE-2026-21643: An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an…

critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-04-16
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Affected

4 ranges
VendorProductVersion rangeFixed in
fortinetforticlientems
fortinetforticlientems
fortinetforticlientems>= 7.4.0 < 7.4.57.4.5
fortinetfortinet

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL