CVE-2026-39808

CWE-78OS Command Injection3 documents3 sources
Severity
9.8CRITICAL
EPSS
No EPSS data
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fortinet FortisandboxFortinet Fortisandbox Paas
Timeline
PublishedApr 14

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5fortinet/fortisandbox4.4.04.4.8
CVEListV5fortinet/fortisandbox_paas9 versions+8

🔴Vulnerability Details

1
CVEList
CVE-2026-39808: A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 42026-04-14

📋Vendor Advisories

1
Fortinet
OS Command Injection through API endpoint2026-04-14
CVE-2026-39808 (CRITICAL CVSS 9.8) | A improper neutralization of specia | cvebase.io