Fortinet Fortisandbox vulnerabilities

CVE-2025-53608 [MEDIUM] CWE-79 CVE-2025-53608: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerabilit An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated privileged attacker to execute code via crafted requests.

CVE-2025-52436 [HIGH] CWE-79 CVE-2025-52436: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerabilit An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests.

CVE-2025-67685 [LOW] CWE-918 CVE-2025-67685: A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests.

CVE-2025-53679 [HIGH] CWE-78 CVE-2025-53679: An improper neutralization of special elements used in an OS command ('OS Command Injection') vulner An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox Cloud 24.1, FortiSandbox Cloud 23 all versions allows a remote privi

CVE-2025-53949 [HIGH] CWE-78 CVE-2025-53949: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulner An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying

CVE-2025-54353 [MEDIUM] CWE-79 CVE-2025-54353: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerabilit An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an attacker to perform an XSS attack via crafted HTTP requests.

CVE-2025-46215 [MEDIUM] CWE-653 CVE-2025-46215: An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 An Improper Isolation or Compartmentalization vulnerability [CWE-653] in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to evade the sandboxing scan via a crafted file.

CVE-2024-27779 [MEDIUM] CWE-613 CVE-2024-27779: An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4. An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an

CVE-2021-26105 [MEDIUM] CWE-358 CVE-2021-26105: A stack-based buffer overflow vulnerability (CWE-121) in the profile parser of FortiSandbox version A stack-based buffer overflow vulnerability (CWE-121) in the profile parser of FortiSandbox version 3.2.2 and below, version 3.1.4 and below may allow an authenticated attacker to potentially execute unauthorized code or commands via specifically crafted HTTP requests.

CVE-2024-54027 [HIGH] CWE-321 CVE-2024-54027: A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox version 4.4.6 and belo A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox version 4.4.6 and below, version 4.2.7 and below, version 4.0.5 and below, version 3.2.4 and below, version 3.1.5 and below, version 3.0.7 to 3.0.5 may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI.

CVE-2024-52960 [MEDIUM] CWE-602 CVE-2024-52960: A client-side enforcement of server-side security vulnerability [CWE-602] in Fortinet FortiSandbox v A client-side enforcement of server-side security vulnerability [CWE-602] in Fortinet FortiSandbox version 5.0.0, 4.4.0 through 4.4.6 and before 4.2.7 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests.

CVE-2024-45328 [HIGH] CWE-863 CVE-2024-45328: An incorrect authorization vulnerability [CWE-863] in FortiSandbox 4.4.0 through 4.4.6 may allow a l An incorrect authorization vulnerability [CWE-863] in FortiSandbox 4.4.0 through 4.4.6 may allow a low priviledged administrator to execute elevated CLI commands via the GUI console menu.

CVE-2024-54018 [HIGH] CWE-78 CVE-2024-54018: Multiple improper neutralization of special elements used in an OS Command vulnerabilities [CWE-78] Multiple improper neutralization of special elements used in an OS Command vulnerabilities [CWE-78] in FortiSandbox before 4.4.5 allows a privileged attacker to execute unauthorized commands via crafted requests.

CVE-2024-52961 [HIGH] CWE-78 CVE-2024-52961: An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerab An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0, FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2.1 through 4.2.7, FortiSandbox 4.0.0 through 4.0.5, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions allows an authenticate

CVE-2024-54026 [MEDIUM] CWE-89 CVE-2024-54026: An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized

CVE-2024-27781 [HIGH] CWE-79 CVE-2024-27781: An improper neutralization of input during web page generation ('cross-site scripting') vulnerabilit An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions allows an authenticated attacker to execute un

CVE-2024-27778 [HIGH] CWE-78 CVE-2024-27778: An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerab An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0.5 through 3.0.7 allows an authenticated attacker with a

CVE-2024-31490 [MEDIUM] CWE-200 CVE-2024-31490: An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiSandbox An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0 all versions, FortiSandbox 3.2.2 through 3.2.4, FortiSandbox 3.1.5 allows attacker to information disclosure via HTTP get requests.

CVE-2024-31491 [HIGH] CWE-602 CVE-2024-31491: A client-side enforcement of server-side security vulnerability in Fortinet FortiSandbox 4.4.0 throu A client-side enforcement of server-side security vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6 allows attacker to execute unauthorized code or commands via HTTP requests.

CVE-2024-23671 [HIGH] CWE-22 CVE-2024-23671: A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fo A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4 allows attacker to execute unauthorized code or commands via crafted HTTP requests.