Description
A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox PaaS 5.0.0 through 5.0.5, FortiSandbox PaaS 4.4.0 through 4.4.8, FortiSandbox PaaS 4.2 all versions may allow attacker to execute unauthorized code or commands via <insert attack vector here>
Published: 2026-04-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via cross‑site scripting
Action: Immediate patch
AI Analysis

Impact

This vulnerability arises from improper neutralization of user input during web page generation, allowing attackers to inject and execute arbitrary scripts. Attackers could potentially run malicious code or commands within the context of the victim's browser, which can lead to credential theft, session hijacking, and other phishing‑style attacks. The weakness is identified as a cross‑site scripting issue (CWE‑79).

Affected Systems

Fortinet FortiSandbox versions 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, and all 4.2 releases, as well as FortiSandbox PaaS versions 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, and all 4.2 releases are impacted. Even the earliest 4.2 series is affected.

Risk and Exploitability

The CVSS base score of 4.3 indicates medium severity, and the absence of an EPSS score makes exploitation likelihood uncertain. It is not listed in the CISA KEV catalog, suggesting no known large‑scale exploitation yet. Attackers would need to send crafted input to the vulnerable web form, which they can do remotely from the internet. Thus while the risk is moderate, timely patching is advised to prevent a potential denial of service or compromise through client‑side exploitation.

Generated by OpenCVE AI on April 14, 2026 at 17:40 UTC.

Remediation

Vendor Solution

Upgrade to FortiSandbox version 5.0.6 or above Upgrade to FortiSandbox version 4.4.9 or above Upgrade to FortiSandbox PaaS version 5.0.6 or above Upgrade to FortiSandbox PaaS version 4.4.9 or above

OpenCVE Recommended Actions

  • Upgrade FortiSandbox to version 5.0.6 or later, or 4.4.9 or later.
  • If using FortiSandbox PaaS, upgrade to version 5.0.6 or later, or 4.4.9 or later.
  • After the upgrade, reboot the device and verify the web interface no longer accepts malicious input.

Generated by OpenCVE AI on April 14, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting Vulnerability in FortiSandbox and FortiSandbox PaaS

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet Fortisandbox Paas
Vendors & Products Fortinet Fortisandbox Paas

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox PaaS 5.0.0 through 5.0.5, FortiSandbox PaaS 4.4.0 through 4.4.8, FortiSandbox PaaS 4.2 all versions may allow attacker to execute unauthorized code or commands via <insert attack vector here>
First Time appeared Fortinet
Fortinet fortisandbox
Fortinet fortisandboxpaas
Weaknesses CWE-79
CPEs cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.2.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.2.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.2.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.2.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.2.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.2.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:5.0.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:5.0.5:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortisandbox
Fortinet fortisandboxpaas
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C'}

Subscriptions

Fortinet Fortisandbox Paas Fortisandbox Fortisandboxpaas
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-14T16:46:15.629Z

Reserved: 2026-04-07T15:24:11.535Z

Link: CVE-2026-39812

cve-icon Vulnrichment

Updated: 2026-04-14T16:37:14.786Z

cve-icon NVD

Status : Received

Published: 2026-04-14T16:16:45.490

Modified: 2026-04-14T16:16:45.490

Link: CVE-2026-39812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses