CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Multiple Stored XSS

unknownCVE-2026-39812
CVSSv3 Score: 4.3 An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox and FortiSandbox Cloud may allow a privileged attacker to perform a stored XSS attack via crafted HTTP requests. Revised on 2026-04-14 00:00:00

CSIRTS triage

What
A stored XSS vulnerability allows a privileged attacker to perform attacks via crafted HTTP requests.
Who is affected
Privileged users of FortiSandbox and FortiSandbox Cloud.
Urgency
Remediation is necessary due to the potential for exploitation, although it is not currently being exploited.
Action
Update to the latest version to mitigate the vulnerability.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch FortiSandbox

Get an email when a new FortiSandbox advisory drops — max one per day, one-click unsubscribe.

Details

Source
Fortinet FortiGuard PSIRT (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-04-14
Exploitation
Not in CISA KEV at last sync

Original advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-110

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-39812coverage & exploitation statusNVD · CVE.org

More from Fortinet FortiGuard PSIRT