CVE Catalog

CVE-2026-26083

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.73%

50th percentile — higher than 50% of all known CVEs

Summary

A missing authorization vulnerability in Fortinet FortiSandbox allows an unauthenticated attacker to execute unauthorized code or commands via HTTP requests. The issue affects multiple versions of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.

Risk Assessment

The risk for the organization includes remote takeover of the FortiSandbox appliance without authentication, potentially leading to compromise of data confidentiality, integrity, and availability, as well as infrastructure security.

Recommendation

Immediately upgrade FortiSandbox to the latest available version and apply security patches provided by the vendor. Restrict management interface access to trusted networks only.

Original NVD description (English source)

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all versions, FortiSandbox PaaS 22.1 all versions, FortiSandbox PaaS 21.4 all versions, FortiSandbox PaaS 21.3 all versions, FortiSandbox PaaS 5.0.0 through 5.0.1, FortiSandbox PaaS 4.4.5 through 4.4.8 may allow an unauthenticated attacker to execute unauthorized code or commands via HTTP requests.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS