{"total":50,"page":1,"count":50,"advisories":[{"id":"e0162231-4d47-4254-a035-1452e77f025b","num":86851,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-143","title":"Restricted CLI escape using Lua","summary":"CVSSv3 Score: 6.0 An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] in FortiOS and FortiProxy may allow an authenticated admin to execute lua scripts via crafted CLI commands. Revised on 2026-06-09 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-143","severity":"unknown","cvss":null,"cves":["CVE-2025-67862"],"exploited":false,"has_exploit":false,"published_at":"2026-06-09T07:00:00+00:00"},{"id":"1fbf5645-26a0-4493-b652-dc97d7cae939","num":86852,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-141","title":"Second-Order OS Command Injection via JSON Input on start vnc feature","summary":"CVSSv3 Score: 9.1 An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests. Revised on 2026-06-09 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-141","severity":"unknown","cvss":null,"cves":["CVE-2026-25089"],"exploited":false,"has_exploit":false,"published_at":"2026-06-09T07:00:00+00:00"},{"id":"bbbc486d-782b-4d91-9cd8-ba739b1e7e09","num":86850,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-140","title":"Improper access control in API endpoints","summary":"CVSSv3 Score: 6.2 An improper access control vulnerability [CWE-284] in FortiPortal API endpoints may allow a remote privileged attacker with organization user role to obtain sensitive network configuration data via crafted HTTP requests. Revised on 2026-06-09 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-140","severity":"unknown","cvss":null,"cves":["CVE-2026-49938"],"exploited":false,"has_exploit":false,"published_at":"2026-06-09T07:00:00+00:00"},{"id":"b02b5a08-b138-43d0-9e40-ab0455c99640","num":86854,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-144","title":"Linux Kernel vulnerability Dirty Frag","summary":"CVSSv3 Score: 7.9 Linux kernel is impacted by CVE-2026-43284 and CVE-2026-43500 which chained together create the Dirty Frag vulnerability.CVE-2026-43284In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs. That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path. This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().CVE-2026-43500In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries externally-owned paged fragments (e.g. SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_ap","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-144","severity":"unknown","cvss":null,"cves":["CVE-2026-43284","CVE-2026-43500"],"exploited":false,"has_exploit":false,"published_at":"2026-06-03T07:00:00+00:00"},{"id":"504e7d54-7f5a-4413-9f7d-b08e9f3ea52c","num":86857,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-139","title":"Linux Kernel Vulnerability copy.fail - CVE-2026-31431","summary":"CVSSv3 Score: 7.8 CVE-2026-31431In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. Revised on 2026-05-13 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-139","severity":"unknown","cvss":null,"cves":["CVE-2026-31431"],"exploited":true,"has_exploit":true,"published_at":"2026-05-13T07:00:00+00:00"},{"id":"d590917c-bfe3-46ad-8317-7174da5bb48d","num":86867,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-132","title":"SQL command injection in administrative portal","summary":"CVSSv3 Score: 6.3 An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiMail may allow an authenticated privileged attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-132","severity":"unknown","cvss":null,"cves":["CVE-2025-53681"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"757adcb2-fe58-48ce-b4f6-98676b556e31","num":86861,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-129","title":"Hardcoded Encryption Key Used for VPN Saved Passwords","summary":"CVSSv3 Score: 2.1 A Missing Authorization [CWE-862] in FortiClient Windows may allow an authenticated local attacker to decrypt a currently logged in users VPN password via use of an unprotected DLL function. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-129","severity":"unknown","cvss":null,"cves":["CVE-2026-44278"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"d10cd99d-7f0c-405c-b28f-8318e990b475","num":86868,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-134","title":"User controlled SQL commands","summary":"CVSSv3 Score: 5.1 An improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability [CWE-89] in FortiNDR may allow an authenticated attacker to execute arbitrary SQL commands on selected databases and tables via specifically crafted HTTP requests. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-134","severity":"unknown","cvss":null,"cves":["CVE-2026-25088"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"e8dca6fc-23c2-40c5-8a0d-da2b9d0f8ad8","num":86858,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-138","title":"Arbitrary log file read in administrative interface","summary":"CVSSv3 Score: 4.0 An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEB UI may allow an authenticated attacker with at least read-only admin permission to read log files via HTTP crafted requests. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-138","severity":"unknown","cvss":null,"cves":["CVE-2026-25690"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"f214841e-11bd-4542-9ae4-ba6353d99241","num":86860,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-137","title":"DoS due to unsafe function in signal handler","summary":"CVSSv3 Score: 5.2 A use of potentially Dangerous Function vulnerability [CWE-676] in FortiAnalyzer and FortiManager API may allow an authenticated attacker to cause a system hang via multiple specially crafted HTTP requests causing crashes. This happens if internal locks are aligned, which is out of control of the attacker. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-137","severity":"unknown","cvss":null,"cves":["CVE-2025-67604"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"595c27ff-54e7-4a9a-a359-7e307508a444","num":86863,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-136","title":"Incorrect global authorization","summary":"CVSSv3 Score: 9.1 A missing authorization vulnerability [CWE-862] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-136","severity":"unknown","cvss":null,"cves":["CVE-2026-26083"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"43330c47-cf97-4b80-952e-455bca950203","num":86864,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-133","title":"OS command injection in CLI","summary":"CVSSv3 Score: 6.5 An OS command injection vulnerabtility [CWE-78] in FortiAP and FortiAP-W2 cli may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted cli command. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-133","severity":"unknown","cvss":null,"cves":["CVE-2025-53870"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"cddd8cd9-6e99-4b81-b8cd-f06a0a4f797d","num":86865,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-130","title":"OTP Disclosure via Exported TokenContentProvider","summary":"CVSSv3 Score: 5.0 An improper export of Android application components [CWE-926] in FortiTokenAndroid may allow other applications on the device to read the OTP code via an exported Content Provider URI. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-130","severity":"unknown","cvss":null,"cves":["CVE-2026-44279"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"2c151b0a-d979-42b6-8980-60c1a80c7288","num":86859,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-131","title":"Command injection in CLI","summary":"CVSSv3 Score: 6.1 An improper neutralization of special elements used in an OS command (\"OS Command Injection\") vulnerability [CWE-78] in FortiAP, FortiAP-U & FortiAP-W2 CLI may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI requests. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-131","severity":"unknown","cvss":null,"cves":["CVE-2025-53680"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"283b5add-5503-4a95-a0b0-49392c7751eb","num":86862,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-128","title":"Improper access control on API endpoints","summary":"CVSSv3 Score: 9.1 An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-128","severity":"unknown","cvss":null,"cves":["CVE-2026-44277"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"07c5a3ee-39e5-412c-8c0d-00a4e5c24ec5","num":86866,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-123","title":"Out-of-bounds access in CAPWAP daemon","summary":"CVSSv3 Score: 8.3 An Out-Of-Bounds Write vulnerability [CWE-787] in FortiOS capwap daemon may allow an attacker controlling an authenticated FortiAP FortiExtender or FortiSwitch to gain execution privileges on the FortiGate device Revised on 2026-05-12 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-123","severity":"unknown","cvss":null,"cves":["CVE-2025-53844"],"exploited":false,"has_exploit":false,"published_at":"2026-05-12T07:00:00+00:00"},{"id":"783294c3-3c58-4659-a16c-62d35b21ad0b","num":86869,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-127","title":"Out-Of-Bounds Write in administrative interface","summary":"CVSSv3 Score: 6.7 An out-of-bounds write vulnerability [CWE-787] in FortiWeb CGI daemon may allow a remote privileged attacker to execute arbitrary code or command via crafted HTTP requests. Revised on 2026-04-15 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-127","severity":"unknown","cvss":null,"cves":["CVE-2026-40688"],"exploited":false,"has_exploit":false,"published_at":"2026-04-15T07:00:00+00:00"},{"id":"ea5062da-d5ad-45db-b0c3-3c99fa0cede5","num":86892,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-103","title":"SSRF via Report template and scheduling","summary":"CVSSv3 Score: 4.1 A Server-Side request forgery (SSRF) vulnerability [CWE-918] in FortiSOAR may allow an authenticated attacker to discover services running on local ports via crafted requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-103","severity":"unknown","cvss":null,"cves":["CVE-2025-59809"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"3af4e0ec-05a0-4d1d-8731-17b766957433","num":86894,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-112","title":"Unauthenticated Authentication bypass and Privilege escalation in FortiSandbox","summary":"CVSSv3 Score: 9.1 A Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-112","severity":"unknown","cvss":null,"cves":["CVE-2026-39813"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"3c2d2437-a5a4-49ca-a5f4-ec0fe22ab850","num":86870,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-101","title":"2FA request can be replayed without a valid token after one successful request","summary":"CVSSv3 Score: 6.7 An Improper authentication vulnerability [CWE-287] in FortiSOAR web GUI may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-101","severity":"unknown","cvss":null,"cves":["CVE-2026-23708"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"becdbb28-37bb-4de3-93df-2eb85d852d97","num":86885,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-118","title":"Open Redirection via Import CSV option","summary":"CVSSv3 Score: 2.2 An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] in FortiNAC-F may allow a remote privileged attacker with system administrator role to redirect users to an arbitrary website via crafted CSV file. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-118","severity":"unknown","cvss":null,"cves":["CVE-2026-21741"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"bfbeb351-1acd-4162-9585-f30ed0bc3b60","num":86895,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-124","title":"unauthorized backup file access","summary":"CVSSv3 Score: 5.4 An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiNDR and FortiVoice may allow a remote authenticated attacker with at least read-only permission on system maintenance to access backup information via crafted HTTP requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-124","severity":"unknown","cvss":null,"cves":["CVE-2024-23104"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"e178b68f-b137-44e9-9240-cc44c207fb0d","num":86879,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-108","title":"Integer Overflow Denial of Service in administrative interface","summary":"CVSSv3 Score: 4.4 An Integer Overflow or Wraparound vulnerability [CWE-190] in FortiWeb may allow a privileged authenticated attacker to perform a denial of service of the system via crafted HTTP requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-108","severity":"unknown","cvss":null,"cves":["CVE-2026-39811"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"7abef8a0-8907-41a3-9659-0d4d6e5100d6","num":86874,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-104","title":"Clear-text credentials retrievable with IP modification for connectors","summary":"CVSSv3 Score: 4.1 A Storing Passwords in a Recoverable Format vulnerability [CWE-257] in FortiSOAR may allow an authenticated remote attacker to retrieve passwords for multiple installed connectors via server address modification in connector configuration. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-104","severity":"unknown","cvss":null,"cves":["CVE-2026-22576"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"44bba6ae-2f45-45ba-8f06-10721a046627","num":86877,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-107","title":"Hardcoded symmetric encryption key for Postgresql","summary":"CVSSv3 Score: 5.2 A use of hard-coded cryptographic key vulnerability [CWE 321] in FortiClientEMS may allow an attacker in possession of an encrypted dump of the database to decrypt it. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-107","severity":"unknown","cvss":null,"cves":["CVE-2026-39810"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"dcabb316-0e01-47d8-8fd8-e0358db4f2b3","num":86881,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-114","title":"Multiple Path traversals in CLI","summary":"CVSSv3 Score: 6.2 Multiple Relative Path Traversal vulnerabilities [CWE-23] in FortiWeb may allow a local privileged attacker to execute unauthorized code on the underlying system via crafted CLI commands. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-114","severity":"unknown","cvss":null,"cves":["CVE-2026-39814"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"e4dea292-3bed-4887-8bfc-f051f5c0534c","num":86871,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-115","title":"Arbitrary directory delete on vmimages delete feature","summary":"CVSSv3 Score: 6.2 An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS and FortiSandbox Cloud WEB UI may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-115","severity":"unknown","cvss":null,"cves":["CVE-2026-25691"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"ae9b2c9d-63b2-4ec8-af28-6d165760d69d","num":86878,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-121","title":"Heap-based buffer overflow in oftpd daemon","summary":"CVSSv3 Score: 7.3 A heap-based buffer overflow vulnerability [CWE-122] in FortiAnalyzer Cloud oftpd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-121","severity":"unknown","cvss":null,"cves":["CVE-2026-22828"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"6415b18f-420e-43cb-8d7c-8efb99f2dd07","num":86884,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-100","title":"OS Command Injection through API endpoint","summary":"CVSSv3 Score: 9.1 An Improper Neutralization of Special Elements used in an OS Command ('OS command injection') vulnerability [CWE-78] in FortiSandbox may allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-100","severity":"unknown","cvss":null,"cves":["CVE-2026-39808"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"8a7e3070-6594-49e5-9a1e-d5d2714a3c41","num":86886,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-122","title":"Path Traversal in CLI","summary":"CVSSv3 Score: 5.4 An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] in the command line interpreter of FortiOS, FortiPAM, FortiProxy and FortiSwitchManager may allow a privileged attacker to achieve arbitrary write or delete files via specifically crafted arguments to existing commands. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-122","severity":"unknown","cvss":null,"cves":["CVE-2025-61624"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"1746d965-14d9-4de5-a597-ba4867f7cc38","num":86887,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-120","title":"Path Traversal in CLI","summary":"CVSSv3 Score: 5.4 An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-120","severity":"unknown","cvss":null,"cves":["CVE-2025-68649"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"84bf0586-7ce2-4837-8c9b-39d5dd3d5297","num":86888,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-116","title":"Path Traversal on File Content Extraction connector","summary":"CVSSv3 Score: 6.2 An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSOAR may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-116","severity":"unknown","cvss":null,"cves":["CVE-2026-22573"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"d75ce538-82fd-44b3-acd8-35803e68526b","num":86891,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-111","title":"SQL Injection via JSON RPC API","summary":"CVSSv3 Score: 6.8 An improper neutralization of special elements used in an SQL command ('SQL injection') [CWE-89] in FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-111","severity":"unknown","cvss":null,"cves":["CVE-2025-61848"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"a51f083d-077f-48f2-9c51-fe6ff66af41c","num":86893,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-117","title":"Stored Cross Site Scripting (XSS) in Reports View page","summary":"CVSSv3 Score: 4.4 An Improper neutralization of input during web page generation ('cross-site scripting') vulnerability [CWE-79] in FortiSOAR may allow an authenticated remote attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP Requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-117","severity":"unknown","cvss":null,"cves":["CVE-2026-22154"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"af015e42-d86c-471b-90b8-475303c1964c","num":86872,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-126","title":"Axios npm Package Compromised","summary":"On March 31, 2026, the Axios npm package was compromised via a maintainer account takeover. Two malicious versions were published - axios@1.14.1 and axios@0.30.4 - which introduced a hidden dependency (plain-crypto-js@4.2.1) able to execute a post‑install script deploying a cross‑platform Remote Access Trojan (RAT) on Windows, macOS, and Linux systems. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-126","severity":"unknown","cvss":null,"cves":[],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"5e6018b4-0540-436a-a2ba-e81b032a3c39","num":86873,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-105","title":"Clear-text credentials retrievable with IP modification for LDAP","summary":"CVSSv3 Score: 4.1 A Storing Passwords in a Recoverable Format vulnerability [CWE-257] in FortiSOAR may allow an authenticated remote attacker to retrieve Service account password via server address modification in LDAP configuration. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-105","severity":"unknown","cvss":null,"cves":["CVE-2026-22574"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"f8be0981-b1f2-4963-b231-53f35d8ff6da","num":86875,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-106","title":"Cleartext Credentials in response for API endpoints","summary":"CVSSv3 Score: 6.2 A Cleartext Transmission of Sensitive Information vulnerability [CWE-319] in FortiSOAR may allow an authenticated attacker to view cleartext password in response for Secure Message Exchange and Radius queries, if configured Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-106","severity":"unknown","cvss":null,"cves":["CVE-2026-21742","CVE-2026-22155"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"2d903e0f-213a-4b89-b2cc-58ee9d42fef7","num":86876,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-113","title":"Credential disclosure in LDAP configuration web page.","summary":"CVSSv3 Score: 2.5 An Insufficiently protected credentials vulnerability [CWE-522] in FortiSanbox and FortiSanbox PaaS GUI may allow an authenticated administrator to read LDAP server credentials via client-side inspection. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-113","severity":"unknown","cvss":null,"cves":["CVE-2026-27316"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"94ddb021-5e22-4c51-8480-780921e81981","num":86880,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-125","title":"Missing Authentication for critical function in CAPWAP daemon","summary":"CVSSv3 Score: 6.2 A missing authentication for critical function vulnerability [CWE-306] in FortiOS and FortiSwitchManager CAPWAP daemon may allow a local unauthenticated attacker on the same local IP subnet to write device configuration via specially crafted requests. To be successful, this attack requires the targeted FortiGate device to run a specific, non default configuration. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-125","severity":"critical","cvss":null,"cves":["CVE-2025-53847"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"76d8371b-2271-457d-af55-cfa60cd7cf05","num":86882,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-102","title":"Multiple SQL Injections","summary":"CVSSv3 Score: 7.1 An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an authenticated attacker to run arbitrary SQL queries on the database via sending crafted requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-102","severity":"unknown","cvss":null,"cves":["CVE-2026-39809"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"1019be87-8439-4734-8d2d-e81804c4f103","num":86883,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-110","title":"Multiple Stored XSS","summary":"CVSSv3 Score: 4.3 An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox and FortiSandbox Cloud may allow a privileged attacker to perform a stored XSS attack via crafted HTTP requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-110","severity":"unknown","cvss":null,"cves":["CVE-2026-39812"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"4a4b164d-d65f-4ddd-bece-2c3eb74efcc2","num":86889,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-109","title":"Reflected XSS in Operation Center","summary":"CVSSv3 Score: 4.9 An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox and FortiSandbox Cloud may allow an attacker to perform an XSS attack via crafted HTTP requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-109","severity":"unknown","cvss":null,"cves":["CVE-2025-61886"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"9b37884d-b0fb-4e4c-b079-0a3fcf79dd94","num":86890,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-119","title":"SQL Injection via API","summary":"CVSSv3 Score: 7.9 An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiDDoS-F may allow an authenticated attacker to run arbitrary SQL queries on the database by sending crafted HTTP requests. Revised on 2026-04-14 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-119","severity":"unknown","cvss":null,"cves":["CVE-2026-39815"],"exploited":false,"has_exploit":false,"published_at":"2026-04-14T07:00:00+00:00"},{"id":"613a342a-93f2-47bc-80c4-301dc600a6bb","num":86896,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-099","title":"API authentication and authorization bypass","summary":"CVSSv3 Score: 9.1 An Improper Access Control vulnerability [CWE-284] in FortiClient EMS may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6, by following the instructions at:https://docs.fortinet.com/document/forticlient/7.4.5/ems-release-notes/832484 - for FortiClientEMS 7.4.5https://docs.fortinet.com/document/forticlient/7.4.6/ems-release-notes/832484 - for FortiClientEMS 7.4.6Upcoming FortiClientEMS 7.4.7 will also include a fix for this issue. In the meantime the hotfix above is sufficient to prevent it entirely. Revised on 2026-04-04 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-099","severity":"unknown","cvss":null,"cves":["CVE-2026-35616"],"exploited":false,"has_exploit":true,"published_at":"2026-04-04T07:00:00+00:00"},{"id":"a0fe78e7-e33a-4c38-b51a-4f8a95745665","num":86897,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-26-096","title":"OS command injection on vmimages update feature","summary":"CVSSv3 Score: 6.7 An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests. Revised on 2026-03-26 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-26-096","severity":"unknown","cvss":null,"cves":["CVE-2026-25836"],"exploited":false,"has_exploit":false,"published_at":"2026-03-10T07:00:00+00:00"},{"id":"1e837fe6-701f-4c16-a97a-b8628c02c0f8","num":86848,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-25-1052","title":"LDAP authentication bypass in Agentless VPN and FSSO","summary":"CVSSv3 Score: 7.5 An Authentication Bypass by Primary Weakness vulnerability [CWE-305] in FortiOS fnbamd may allow an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FSSO policy, under specific LDAP server configuration. Revised on 2026-07-04 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-25-1052","severity":"unknown","cvss":null,"cves":["CVE-2026-22153"],"exploited":false,"has_exploit":false,"published_at":"2026-02-10T08:00:00+00:00"},{"id":"192e5891-5571-4ced-b7df-35c8dfc64bf9","num":86855,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-25-545","title":"Trusted hosts bypass via SSH","summary":"CVSSv3 Score: 1.8 An Improper Privilege Management vulnerability [CWE-269] in FortiOS, FortiProxy and FortiPAM may allow an authenticated administrator to bypass the trusted host policy via crafted CLI command. Revised on 2026-05-27 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-25-545","severity":"unknown","cvss":null,"cves":["CVE-2025-54821"],"exploited":false,"has_exploit":false,"published_at":"2025-11-18T08:00:00+00:00"},{"id":"f7c4c056-6d73-40eb-81dc-8e674d039172","num":86853,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-24-452","title":"Insertion of Sensitive 2FA Information in logs and debug command","summary":"CVSSv3 Score: 2.6 An Insertion of Sensitive Information into Log File vulnerability [CWE-532] in FortiOS may allow an attacker with at least read-only privileges to retrieve sensitive 2FA-related information via observing logs or via diagnose command. Revised on 2026-06-08 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-24-452","severity":"unknown","cvss":null,"cves":["CVE-2025-31514"],"exploited":false,"has_exploit":false,"published_at":"2025-10-14T07:00:00+00:00"},{"id":"b5074772-1037-4804-94cf-cf5f3a83fa74","num":86849,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-24-257","title":"Information Disclosure on SSLVPN endpoint","summary":"CVSSv3 Score: 3.9 An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] in FortiOS SSL-VPN web-mode may allow an authenticated user to access full SSL-VPN settings via crafted URL. Revised on 2026-06-15 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-24-257","severity":"unknown","cvss":null,"cves":["CVE-2025-25250"],"exploited":false,"has_exploit":false,"published_at":"2025-06-10T07:00:00+00:00"},{"id":"fbea2f33-4b82-4807-8f9e-ec3b8f055467","num":86856,"source_id":"fortinet","external_id":"https://fortiguard.fortinet.com/psirt/FG-IR-25-122","title":"Pre-authentication Denial of Service attack in OpenSSH - CVE-2025-26466","summary":"CVSSv3 Score: 5.9 CVE-2025-26466A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack. Revised on 2026-05-25 00:00:00","link":"https://fortiguard.fortinet.com/psirt/FG-IR-25-122","severity":"unknown","cvss":null,"cves":["CVE-2025-26466"],"exploited":false,"has_exploit":false,"published_at":"2025-03-11T07:00:00+00:00"}]}