CVE-2026-25836

⚠️ high

Summary

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests.

CVSS Score

7.2

High

EPSS Score

0.1

Exploit Probability

Published Date

2026-03-10

First Seen: 2026-03-11

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 55.6% of all 321,566 vulnerabilities in our database.

#142,887

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: Mar 10, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Total

Complete system compromise possible

SSVC data provided by CISA

Last Modified 2026-03-18

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE IDs (Weakness Types)

CWE-78

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
fortinet	fortisandbox_cloud	Affected	v5.0.4

🔗 References 1

https://fortiguard.fortinet.com/psirt/FG-IR-26-096

Vendor Advisory

🔗 Related CVEs 4

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-26083	⛔ critical	9.8	0.1	A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, Fo...	2026-05-12
CVE-2026-39812	🔶 medium	4.8	0.0	A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSa...	2026-04-14
CVE-2025-53679	⚠️ high	7.2	0.3	An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] vul...	2025-12-09
CVE-2024-54026	🔶 medium	4.3	0.1	An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 t...	2025-03-11

These CVEs affect the same products