Description
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
Published: 2026-04-14
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via OS command injection
Action: Immediate patch
AI Analysis

Impact

An OS command injection flaw exists in Fortinet FortiSandbox 4.4.0 through 4.4.8, allowing an attacker to supply input that is not properly sanitized when passed to the operating system. This leads to execution of arbitrary commands or code on the sandbox host, giving the attacker control over the processing of data and potentially the underlying infrastructure.

Affected Systems

The vulnerability affects FortiSandbox versions 4.4.0 to 4.4.8 and FortiSandbox PaaS releases 21.3.4055 through 23.4.4374. Users deploying any of these builds must ensure they apply the latest patches.

Risk and Exploitability

The flaw scores a CVSS base of 9.1, indicating a critical severity. Exploitation requires an attacker to send malicious input to an unsanitized interface; the attack vector is inferred to be external, such as a malicious file or request sent to the sandbox. No published exploits are known at the time of this advisory and the issue is not in the CISA KEV catalog, but the high score suggests a strong likelihood of future exploitation if left unpatched.

Generated by OpenCVE AI on April 14, 2026 at 17:45 UTC.

Remediation

Vendor Solution

Upgrade to FortiSandbox version 4.4.9 or above Upgrade to FortiSandbox PaaS version 5.0.2 or above

OpenCVE Recommended Actions

  • Upgrade FortiSandbox to version 4.4.9 or higher
  • Upgrade FortiSandbox PaaS to version 5.0.2 or higher
  • If an upgrade is not immediately possible, isolate the affected sandbox from network traffic and monitor logs for unusual activity

Generated by OpenCVE AI on April 14, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet fortisandbox Paas
Vendors & Products Fortinet fortisandbox Paas

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in FortiSandbox Enabling Remote Code Execution

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
First Time appeared Fortinet
Fortinet fortisandbox
Fortinet fortisandboxpaas
Weaknesses CWE-78
CPEs cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:21.3.4055:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:21.4.4072:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:22.1.4113:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4134:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4151:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.1.4245:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.3.4329:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4350:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4374:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortisandbox
Fortinet fortisandboxpaas
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C'}

Subscriptions

Fortinet Fortisandbox Fortisandbox Paas Fortisandboxpaas
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-15T03:58:23.870Z

Reserved: 2026-04-07T15:24:03.838Z

Link: CVE-2026-39808

cve-icon Vulnrichment

Updated: 2026-04-14T16:37:38.704Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T16:16:44.860

Modified: 2026-04-17T15:11:35.840

Link: CVE-2026-39808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:03:01Z

Weaknesses