Description
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
Published: 2026-04-14
Score: 9.1 Critical
EPSS: 22.1% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw (CWE-78) exists in Fortinet FortiSandbox 4.4.0 through 4.4.8, allowing an attacker to supply input that is not properly sanitized when passed to the operating system. This leads to execution of arbitrary commands or code on the sandbox host, giving the attacker control over the processing of data and potentially the underlying infrastructure.

Affected Systems

The vulnerability affects FortiSandbox versions 4.4.0 to 4.4.8 and FortiSandbox PaaS releases 21.3.4055 through 23.4.4374. Users deploying any of these builds must ensure they apply the latest patches.

Risk and Exploitability

The flaw scores a CVSS base of 9.1, indicating a critical severity. Exploitation requires an attacker to send malicious input to an unsanitized interface; the attack vector is inferred to be external, such as a malicious file or request sent to the sandbox. The EPSS score of 22% indicates a moderate probability of exploitation. If left unpatched, the high severity suggests potential exploitation, although no publicly disclosed exploits are known at this time.

Generated by OpenCVE AI on May 7, 2026 at 14:38 UTC.

Remediation

Vendor Solution

Upgrade to FortiSandbox version 4.4.9 or above Upgrade to FortiSandbox PaaS version 5.0.2 or above

OpenCVE Recommended Actions

  • Upgrade FortiSandbox to version 4.4.9 or higher
  • Upgrade FortiSandbox PaaS to version 5.0.2 or higher
  • If an upgrade is not immediately possible, isolate the affected sandbox from network traffic and monitor logs for unusual activity

Generated by OpenCVE AI on May 7, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Vulnerability

Tue, 05 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in FortiSandbox 4.4.x

Sat, 02 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title OS Command Injection Vulnerability in FortiSandbox 4.4.x

Tue, 28 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox Enabling Remote Code Execution

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet fortisandbox Paas
Vendors & Products Fortinet fortisandbox Paas

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox Enabling Remote Code Execution

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
First Time appeared Fortinet
Fortinet fortisandbox
Fortinet fortisandboxpaas
Weaknesses CWE-78
CPEs cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:21.3.4055:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:21.4.4072:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:22.1.4113:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4134:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4151:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.1.4245:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.3.4329:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4350:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4374:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortisandbox
Fortinet fortisandboxpaas
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C'}

Subscriptions

Fortinet Fortisandbox Fortisandbox Paas Fortisandboxpaas
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-22T13:56:10.055Z

Reserved: 2026-04-07T15:24:03.838Z

Link: CVE-2026-39808

cve-icon Vulnrichment

Updated: 2026-04-14T16:37:38.704Z

cve-icon NVD

Status : Modified

Published: 2026-04-14T16:16:44.860

Modified: 2026-04-22T14:17:00.873

Link: CVE-2026-39808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T14:45:26Z

Weaknesses