Description
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.1 through 7.4.12, FortiWeb 7.2.7 through 7.2.12, FortiWeb 7.0.10 through 7.0.12 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
Published: 2026-04-14
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Command Execution via Path Traversal
Action: Apply Patch
AI Analysis

Impact

A relative path traversal flaw exists in Fortinet FortiWeb firmware versions ranging from 8.0.0 to 8.0.2, 7.6.0 to 7.6.6, 7.4.1 to 7.4.12, 7.2.7 to 7.2.12, and 7.0.10 to 7.0.12. The flaw allows an attacker to manipulate path inputs to bypass directory boundaries, potentially enabling the execution of arbitrary code or commands on the host. The vulnerability is classified as CWE‑23.

Affected Systems

The affected product is Fortinet FortiWeb. Systems running any of the listed firmware ranges are impacted; this includes the 8.x, 7.6.x, 7.4.x, 7.2.x, and 7.0.x branches.

Risk and Exploitability

The CVSS score of 6.2 indicates a moderate risk. EPSS data is unavailable, so the likelihood of exploitation is unclear from the data. The vulnerability is not in the CISA KEV catalog, suggesting no widespread exploitation has been reported yet. Based on the nature of the flaw, the likely attack vector is a crafted HTTP request that includes relative path sequences to reach privileged files, but this is inferred rather than explicitly stated.

Generated by OpenCVE AI on April 14, 2026 at 18:12 UTC.

Remediation

Vendor Solution

Upgrade to FortiWeb version 8.0.3 or above Upgrade to FortiWeb version 7.6.7 or above

OpenCVE Recommended Actions

  • Upgrade FortiWeb to version 8.0.3 or later if running the 8.x branch
  • Upgrade FortiWeb to version 7.6.7 or later if running the 7.6 branch
  • Verify that the device firmware version is not within the vulnerable ranges (including 7.4.x, 7.2.x, and 7.0.x)
  • Restrict external access to the FortiWeb administration interface and enforce strong authentication
  • Monitor system logs for anomalous command execution attempts

Generated by OpenCVE AI on April 14, 2026 at 18:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Relative Path Traversal Vulnerability Allowing Unauthorized Commands in FortiWeb

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.1 through 7.4.12, FortiWeb 7.2.7 through 7.2.12, FortiWeb 7.0.10 through 7.0.12 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
First Time appeared Fortinet
Fortinet fortiweb
Weaknesses CWE-23
CPEs cpe:2.3:a:fortinet:fortiweb:7.4.10:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.11:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.12:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.4.9:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.6.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.6.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.6.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.6.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.6.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:7.6.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:8.0.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortiweb:8.0.2:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortiweb
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C'}

Subscriptions

Fortinet Fortiweb
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-04-15T03:58:21.366Z

Reserved: 2026-04-07T15:24:15.182Z

Link: CVE-2026-39814

cve-icon Vulnrichment

Updated: 2026-04-14T16:37:18.851Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T16:16:45.850

Modified: 2026-04-17T15:11:35.840

Link: CVE-2026-39814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses