Description
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
Published: 2026-04-14
Score: 9.1 Critical
EPSS: 48.7% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Fortinet FortiSandbox versions 4.4.0 to 4.4.8 contain an OS command injection flaw (CWE‑78). The flaw originates when the sandbox service accepts unvalidated parameters that are passed directly to the operating system, enabling an attacker to execute arbitrary code on the host. This can compromise the sandbox itself and potentially lead to loss of confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects FortiSandbox 4.4.0 through 4.4.8 and FortiSandbox PaaS releases through 23.4.4374. All deployments running any of those builds are vulnerable and must be remediated.

Risk and Exploitability

The flaw has a CVSS base score of 9.1, indicating critical severity. EPSS score of 49% reflects a moderate to high likelihood of exploitation today, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is external, likely through the sandbox ingestion API or user interface that accepts files, allowing an attacker to supply malicious input that is passed to the operating system.

Generated by OpenCVE AI on June 24, 2026 at 13:23 UTC.

Remediation

Vendor Solution

Upgrade to FortiSandbox version 4.4.9 or above Upgrade to FortiSandbox PaaS version 5.0.2 or above


OpenCVE Recommended Actions

  • Upgrade FortiSandbox to version 4.4.9 or higher.
  • Upgrade FortiSandbox PaaS to version 5.0.2 or higher.
  • If an upgrade is not immediately possible, isolate the sandbox from external network traffic, restrict file ingestion to trusted sources, and monitor logs for suspicious activity.

Generated by OpenCVE AI on June 24, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Leading to Remote Code Execution

Wed, 24 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Leading to Remote Code Execution

Wed, 24 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox Enables Remote Code Execution

Wed, 24 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox Enables Remote Code Execution

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in Fortinet FortiSandbox Enables Remote Execution

Tue, 23 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in Fortinet FortiSandbox Enables Remote Execution

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox 4.4.x Releases

Wed, 17 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox 4.4.x Releases

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox Enables Remote Code Execution

Fri, 12 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox Enables Remote Code Execution

Thu, 11 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Vulnerability Causing Remote Code Execution

Mon, 08 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Vulnerability Causing Remote Code Execution

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Fortinet FortiSandbox OS Command Injection Vulnerability (CWE-78)

Fri, 22 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Fortinet FortiSandbox OS Command Injection Vulnerability (CWE-78)

Wed, 13 May 2026 16:30:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Vulnerability

Thu, 07 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Vulnerability

Tue, 05 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in FortiSandbox 4.4.x

Sat, 02 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in FortiSandbox 4.4.x

Tue, 28 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox Enabling Remote Code Execution

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 20 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet fortisandbox Paas
Vendors & Products Fortinet fortisandbox Paas

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox Enabling Remote Code Execution

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
First Time appeared Fortinet
Fortinet fortisandbox
Fortinet fortisandboxpaas
Weaknesses CWE-78
CPEs cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:21.3.4055:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:21.4.4072:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:22.1.4113:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4134:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4151:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.1.4245:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.3.4329:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4350:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4374:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortisandbox
Fortinet fortisandboxpaas
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C'}


Subscriptions

Fortinet Fortisandbox Fortisandbox Paas Fortisandboxpaas
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-22T13:56:10.055Z

Reserved: 2026-04-07T15:24:03.838Z

Link: CVE-2026-39808

cve-icon Vulnrichment

Updated: 2026-04-14T16:37:38.704Z

cve-icon NVD

Status : Modified

Published: 2026-04-14T16:16:44.860

Modified: 2026-06-17T10:42:36.887

Link: CVE-2026-39808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:30:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')