{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39811", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2026-04-07T15:24:09.991Z", "datePublished": "2026-04-14T15:38:20.186Z", "dateUpdated": "2026-04-14T16:46:15.353Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiWeb", "cpes": ["cpe:2.3:a:fortinet:fortiweb:8.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:8.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.11:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.12:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "8.0.0", "lessThanOrEqual": "8.0.3", "status": "affected"}, {"versionType": "semver", "version": "7.6.0", "lessThanOrEqual": "7.6.6", "status": "affected"}, {"versionType": "semver", "version": "7.4.0", "lessThanOrEqual": "7.4.12", "status": "affected"}, {"versionType": "semver", "version": "7.2.0", "lessThanOrEqual": "7.2.12", "status": "affected"}, {"versionType": "semver", "version": "7.0.0", "lessThanOrEqual": "7.0.12", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow attacker to denial of service via <insert attack vector here>"}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:20.186Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-190", "description": "Denial of service", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C"}}], "solutions": [{"lang": "en", "value": "Upgrade to FortiWeb version 8.0.4 or above\nUpgrade to FortiWeb version 7.6.7 or above"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-108", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-108"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39811", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T16:25:41.160205Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:46:15.353Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39811", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T16:25:41.160205Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:37:10.806Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortiweb:8.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:8.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.12:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.11:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.10:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.9:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.12:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.11:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.10:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.9:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortiweb:7.0.0:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiWeb", "versions": [{"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.0.3"}, {"status": "affected", "version": "7.6.0", "versionType": "semver", "lessThanOrEqual": "7.6.6"}, {"status": "affected", "version": "7.4.0", "versionType": "semver", "lessThanOrEqual": "7.4.12"}, {"status": "affected", "version": "7.2.0", "versionType": "semver", "lessThanOrEqual": "7.2.12"}, {"status": "affected", "version": "7.0.0", "versionType": "semver", "lessThanOrEqual": "7.0.12"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to FortiWeb version 8.0.4 or above\nUpgrade to FortiWeb version 7.6.7 or above"}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-108", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-108"}], "descriptions": [{"lang": "en", "value": "A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow attacker to denial of service via <insert attack vector here>"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "Denial of service"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:20.186Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39811", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:46:15.353Z", "dateReserved": "2026-04-07T15:24:09.991Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2026-04-14T15:38:20.186Z", "assignerShortName": "fortinet"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow attacker to denial of service via <insert attack vector here>"}], "id": "CVE-2026-39811", "lastModified": "2026-04-14T16:16:45.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2026-04-14T16:16:45.310", "references": [{"source": "psirt@fortinet.com", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-108"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "psirt@fortinet.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.0.3]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.6.0,7.6.6]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.4.0,7.4.12]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.2.0,7.2.12]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.0.12]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "FortiWeb", "source": "cna", "vendor": "Fortinet"}, "product": "fortiweb", "vendor": "fortinet"}], "analysis": {"en": {"generated_at": "2026-04-14T17:39:57.402242+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch by upgrading FortiWeb to version 8.0.4 or later", "If running a 7.x version, upgrade to FortiWeb 7.6.7 or later", "For older 7.4, 7.2, or 7.0 releases, obtain and install the latest firmware updates from Fortinet", "If an upgrade cannot be performed immediately, restrict external access to FortiWeb management interfaces and monitor logs for abnormal traffic patterns"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are Fortinet FortiWeb appliances running firmware versions 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, all published 7.4 releases, all 7.2 releases, and all 7.0 releases. The recommended mitigation is to upgrade to FortiWeb 8.0.4 or newer, or to upgrade to 7.6.7 or newer if operating on a 7.x branch. For older branches, applying the latest patch release available from Fortinet is advised.", "description_and_impact": "An integer overflow or wraparound flaw exists in several Fortinet FortiWeb firmware releases. The vulnerability, identified as CWE-190, could allow an attacker to trigger a denial of service by causing an internal counter to exceed its bounds and corrupt memory or reset processing loops. According to the description, the exact method of exploitation is not explicitly provided, so it is inferred that the attacker would need to send a specially crafted HTTP request or sequence of requests to the FortiWeb appliance, but the high-level impact remains a service disruption.", "risk_and_exploitability": "The CVSS score of 4.4 indicates moderate severity, reflecting that this flaw primarily causes service disruption without granting attacker remote code execution. The EPSS score is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Nonetheless, the flaw could be leveraged by attackers who can reach the FortiWeb appliance over the network, and its exploitability is likely low to moderate, meaning that while the attack may not be widespread, it is still significant for environments running the affected firmware."}}}}, "created": "2026-04-15T14:41:09.658096+00:00", "title": "Integer Overflow in FortiWeb Leading to Denial of Service", "updated": "2026-04-15T15:30:06.818200+00:00", "vendors": ["fortinet", "fortinet$PRODUCT$fortiweb"]}