{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25691", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2026-02-05T08:56:55.794Z", "datePublished": "2026-04-14T15:38:16.406Z", "dateUpdated": "2026-04-14T16:46:16.085Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiSandbox PaaS", "cpes": ["cpe:2.3:a:fortinet:fortisandboxpaas:5.0.4:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "5.0.4", "status": "affected"}]}, {"vendor": "Fortinet", "product": "FortiSandbox Cloud", "cpes": ["cpe:2.3:a:fortinet:fortisandboxcloud:5.0.4:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "5.0.4", "status": "affected"}]}, {"vendor": "Fortinet", "product": "FortiSandbox", "cpes": ["cpe:2.3:a:fortinet:fortisandbox:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "5.0.0", "lessThanOrEqual": "5.0.5", "status": "affected"}, {"versionType": "semver", "version": "4.4.0", "lessThanOrEqual": "4.4.8", "status": "affected"}, {"versionType": "semver", "version": "4.2.1", "lessThanOrEqual": "4.2.8", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests."}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:16.406Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H/E:F/RL:O/RC:C"}}], "solutions": [{"lang": "en", "value": "Fortinet remediated this issue in FortiSandbox Cloud version 5.0.5 and hence customers do not need to perform any action.\nUpgrade to upcoming FortiSandbox version 5.2.0 or above\nUpgrade to FortiSandbox version 5.0.6 or above\nUpgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.5 or above"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-115", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-115"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25691", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T16:34:33.306644Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:46:16.085Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25691", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T16:34:33.306644Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:37:20.807Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H/E:F/RL:O/RC:C", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortisandboxpaas:5.0.4:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiSandbox PaaS", "versions": [{"status": "affected", "version": "5.0.4"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:fortinet:fortisandboxcloud:5.0.4:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiSandbox Cloud", "versions": [{"status": "affected", "version": "5.0.4"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:fortinet:fortisandbox:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiSandbox", "versions": [{"status": "affected", "version": "5.0.0", "versionType": "semver", "lessThanOrEqual": "5.0.5"}, {"status": "affected", "version": "4.4.0", "versionType": "semver", "lessThanOrEqual": "4.4.8"}, {"status": "affected", "version": "4.2.1", "versionType": "semver", "lessThanOrEqual": "4.2.8"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Fortinet remediated this issue in FortiSandbox Cloud version 5.0.5 and hence customers do not need to perform any action.\nUpgrade to upcoming FortiSandbox version 5.2.0 or above\nUpgrade to FortiSandbox version 5.0.6 or above\nUpgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.5 or above"}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-115", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-115"}], "descriptions": [{"lang": "en", "value": "A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:16.406Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25691", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:46:16.085Z", "dateReserved": "2026-02-05T08:56:55.794Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2026-04-14T15:38:16.406Z", "assignerShortName": "fortinet"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests."}], "id": "CVE-2026-25691", "lastModified": "2026-04-14T16:16:37.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2026-04-14T16:16:37.623", "references": [{"source": "psirt@fortinet.com", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-115"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "psirt@fortinet.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-14T17:41:43.621599+00:00", "value": {"mitigation_remediation": ["If running FortiSandbox Cloud, ensure you are on version 5.0.5 or newer\u2014no action required thereafter.", "If using FortiSandbox Cloud 5.0.4 or older, upgrade to 5.0.5 or newer immediately.", "If using FortiSandbox 5.0.x, upgrade to version 5.0.6 or newer.", "If using FortiSandbox 4.4.x, upgrade to version 4.4.9 or newer.", "If using FortiSandbox 4.2.x, upgrade to version 5.2.0 or newer.", "If using FortiSandbox PaaS 5.0.4, upgrade to 5.0.5 or newer."], "summary": {"action": "Patch", "impact": "Data deletion and service disruption by privileged user"}, "threat_synthesis": {"affected_systems": "Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS are affected. Vulnerable versions include FortiSandbox 5.0.0\u20135.0.5, 4.4.0\u20134.4.8, and all 4.2.x releases; FortiSandbox Cloud 5.0.4; FortiSandbox PaaS 5.0.4.", "description_and_impact": "An improper limitation of a pathname to a restricted directory allows an attacker with super\u2011admin privileges and CLI access to delete any directory through crafted HTTP requests. The flaw can lead to loss of sandbox data and disruption of security monitoring activities. The weakness is a classic path traversal (CWE\u201122).", "risk_and_exploitability": "The CVSS score is 6.2, indicating medium severity. Exploitation requires super\u2011admin credentials and CLI access, which limits the attack surface to internal or privileged users. While EPSS data is not available and the vulnerability is not listed in KEV, the potential to delete critical directories makes it a significant risk for affected installations."}}}}, "created": "2026-04-15T15:30:06.821143+00:00", "title": "Path Traversal Enables Deletion of Arbitrary Directories in FortiSandbox", "updated": "2026-04-15T15:30:06.821156+00:00", "vendors": []}