CVE-2026-25972

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

6.1MEDIUM

EPSS

0.1%

top 84.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortisiem

Timeline

PublishedMar 10

Description

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4 may allow a remote unauthenticated attacker to provide arbitrary data enabling a social engineering attack via spoofed URL parameters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDfortinet/fortisiem7.3.0 — 7.3.5+1

▶CVEListV5fortinet/fortisiem7.3.0 — 7.3.4+1

🔴Vulnerability Details

GHSA

GHSA-2m7q-86j6-pc24: An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSIEM 7↗2026-03-10

▶

CVEList

CVE-2026-25972: An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSIEM 7↗2026-03-10

▶

📋Vendor Advisories

Fortinet

Reflected Cross Site Scripting (XSS) in error page↗2026-03-10

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25972 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶