CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Arbitrary log file read in administrative interface

unknownCVE-2026-25690
CVSSv3 Score: 4.0 An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEB UI may allow an authenticated attacker with at least read-only admin permission to read log files via HTTP crafted requests. Revised on 2026-05-12 00:00:00

CSIRTS triage

What
An argument injection vulnerability allows authenticated attackers to read log files.
Who is affected
Authenticated users with read-only admin permissions in FortiDeceptor.
Urgency
Remediation is important to prevent unauthorized access to sensitive log information.
Action
Apply patches or restrict access to the affected functionality.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch FortiDeceptor

Get an email when a new FortiDeceptor advisory drops — max one per day, one-click unsubscribe.

Details

Source
Fortinet FortiGuard PSIRT (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-05-12
Exploitation
Not in CISA KEV at last sync

Original advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-138

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-25690coverage & exploitation statusNVD · CVE.org

More from Fortinet FortiGuard PSIRT