{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39808", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2026-04-07T15:24:03.838Z", "datePublished": "2026-04-14T15:38:02.089Z", "dateUpdated": "2026-04-15T03:58:23.870Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiSandbox", "cpes": ["cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "4.4.0", "lessThanOrEqual": "4.4.8", "status": "affected"}]}, {"vendor": "Fortinet", "product": "FortiSandbox PaaS", "cpes": ["cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4374:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4350:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:23.3.4329:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:23.1.4245:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4151:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4134:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:22.1.4113:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:21.4.4072:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:21.3.4055:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "23.4.4374", "status": "affected"}, {"version": "23.4.4350", "status": "affected"}, {"version": "23.3.4329", "status": "affected"}, {"version": "23.1.4245", "status": "affected"}, {"version": "22.2.4151", "status": "affected"}, {"version": "22.2.4134", "status": "affected"}, {"version": "22.1.4113", "status": "affected"}, {"version": "21.4.4072", "status": "affected"}, {"version": "21.3.4055", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>"}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:02.089Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C"}}], "solutions": [{"lang": "en", "value": "Upgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.2 or above"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-100", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-100"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-39808"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T03:58:23.870Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39808", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T16:29:22.942118Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:37:38.704Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiSandbox", "versions": [{"status": "affected", "version": "4.4.0", "versionType": "semver", "lessThanOrEqual": "4.4.8"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4374:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4350:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:23.3.4329:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:23.1.4245:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4151:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4134:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:22.1.4113:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:21.4.4072:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:21.3.4055:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiSandbox PaaS", "versions": [{"status": "affected", "version": "23.4.4374"}, {"status": "affected", "version": "23.4.4350"}, {"status": "affected", "version": "23.3.4329"}, {"status": "affected", "version": "23.1.4245"}, {"status": "affected", "version": "22.2.4151"}, {"status": "affected", "version": "22.2.4134"}, {"status": "affected", "version": "22.1.4113"}, {"status": "affected", "version": "21.4.4072"}, {"status": "affected", "version": "21.3.4055"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.2 or above"}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-100", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-100"}], "descriptions": [{"lang": "en", "value": "A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:02.089Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39808", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:46:17.620Z", "dateReserved": "2026-04-07T15:24:03.838Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2026-04-14T15:38:02.089Z", "assignerShortName": "fortinet"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>"}], "id": "CVE-2026-39808", "lastModified": "2026-04-14T16:16:44.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2026-04-14T16:16:44.860", "references": [{"source": "psirt@fortinet.com", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-100"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "psirt@fortinet.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-14T17:45:49.824857+00:00", "value": {"mitigation_remediation": ["Upgrade FortiSandbox to version 4.4.9 or higher", "Upgrade FortiSandbox PaaS to version 5.0.2 or higher", "If an upgrade is not immediately possible, isolate the affected sandbox from network traffic and monitor logs for unusual activity"], "summary": {"action": "Immediate patch", "impact": "Remote code execution via OS command injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects FortiSandbox versions 4.4.0 to 4.4.8 and FortiSandbox PaaS releases 21.3.4055 through 23.4.4374. Users deploying any of these builds must ensure they apply the latest patches.", "description_and_impact": "An OS command injection flaw exists in Fortinet FortiSandbox 4.4.0 through 4.4.8, allowing an attacker to supply input that is not properly sanitized when passed to the operating system. This leads to execution of arbitrary commands or code on the sandbox host, giving the attacker control over the processing of data and potentially the underlying infrastructure.", "risk_and_exploitability": "The flaw scores a CVSS base of 9.1, indicating a critical severity. Exploitation requires an attacker to send malicious input to an unsanitized interface; the attack vector is inferred to be external, such as a malicious file or request sent to the sandbox. No published exploits are known at the time of this advisory and the issue is not in the CISA KEV catalog, but the high score suggests a strong likelihood of future exploitation if left unpatched."}}}}, "created": "2026-04-15T15:30:06.827610+00:00", "title": "OS Command Injection in FortiSandbox Enabling Remote Code Execution", "updated": "2026-04-15T15:30:06.827628+00:00", "vendors": []}