CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

OS command injection on vmimages update feature

unknownCVE-2026-25836
CVSSv3 Score: 6.7 An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests. Revised on 2026-03-26 00:00:00

CSIRTS triage

What
A vulnerability allows a privileged attacker to execute unauthorized code via crafted HTTP requests.
Who is affected
Privileged users with super-admin profile and CLI access.
Urgency
Remediation is important due to the potential for unauthorized code execution.
Action
Apply security updates and review access controls.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch FortiSandbox Cloud and FortiSandbox PaaS

Get an email when a new FortiSandbox Cloud and FortiSandbox PaaS advisory drops — max one per day, one-click unsubscribe.

Details

Source
Fortinet FortiGuard PSIRT (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-03-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-096

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-25836coverage & exploitation statusNVD · CVE.org

Recent advisories for OS command injection

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from Fortinet FortiGuard PSIRT