{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39815", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2026-04-07T15:24:20.512Z", "datePublished": "2026-04-14T15:38:22.588Z", "dateUpdated": "2026-04-14T17:35:54.853Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiDDoS-F", "cpes": ["cpe:2.3:o:fortinet:fortiddos-f:7.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:fortinet:fortiddos-f:7.2.1:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "7.2.1", "lessThanOrEqual": "7.2.2", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests"}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T17:35:54.853Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C"}}], "solutions": [{"lang": "en", "value": "Upgrade to FortiDDoS-F version 7.2.3 or above"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-119", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-119"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39815", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T16:22:55.316897Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:46:14.769Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39815", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T16:22:55.316897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:37:02.310Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:2.3:o:fortinet:fortiddos-f:7.2.2:*:*:*:*:*:*:*", "cpe:2.3:o:fortinet:fortiddos-f:7.2.1:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiDDoS-F", "versions": [{"status": "affected", "version": "7.2.1", "versionType": "semver", "lessThanOrEqual": "7.2.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to FortiDDoS-F version 7.2.3 or above"}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-119", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-119"}], "descriptions": [{"lang": "en", "value": "A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T17:35:54.853Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39815", "state": "PUBLISHED", "dateUpdated": "2026-04-14T17:35:54.853Z", "dateReserved": "2026-04-07T15:24:20.512Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2026-04-14T15:38:22.588Z", "assignerShortName": "fortinet"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests"}], "id": "CVE-2026-39815", "lastModified": "2026-04-14T18:17:39.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2026-04-14T16:16:46.383", "references": [{"source": "psirt@fortinet.com", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-119"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "psirt@fortinet.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.2.1,7.2.2]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "FortiDDoS-F", "source": "cna", "vendor": "Fortinet"}, "product": "fortiddos-f", "vendor": "fortinet"}], "analysis": {"en": {"generated_at": "2026-04-14T20:46:56.200034+00:00", "value": {"mitigation_remediation": ["Upgrade to FortiDDoS-F version 7.2.3 or above", "If a firmware upgrade cannot be applied immediately, investigate HTTP traffic for suspicious SQL injection patterns and block malicious requests at the network perimeter", "Verify that the device firmware is updated by consulting the FortinGuard advisory and checking device logs for any injection attempts"], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via SQL injection"}, "threat_synthesis": {"affected_systems": "Fortinet\u2019s FortiDDoS-F product is affected when deployed with firmware versions 7.2.1 and 7.2.2. The vulnerability is linked to product releases before version 7.2.3, which includes the fix.", "description_and_impact": "FortiDDoS-F firmware versions 7.2.1 and 7.2.2 contain an SQL injection vulnerability caused by improper neutralization of special characters in SQL commands. An attacker who can send crafted HTTP requests to the device may be able to inject malicious SQL, which can lead to unauthorized execution of code or commands. This flaw could compromise the integrity of the device, potentially allowing an attacker to gain elevated privileges or disrupt service.", "risk_and_exploitability": "The CVSS base score of 7.9 reflects high severity, indicating that exploitation poses a substantial risk. EPSS data is not publicly available, and the vulnerability is not listed in CISA\u2019s KEV catalog, so no confirmed exploits are known. Based on the description, the likely attack vector is remote, via network\u2011based HTTP requests, and does not appear to require authenticated access, meaning any external actor could attempt injection. Consequently, the impact is high if the flaw is leveraged, emphasizing the need for timely remediation."}}}}, "created": "2026-04-15T14:41:09.656389+00:00", "title": "SQL Injection in FortiDDoS-F Enabling Unauthorized Code Execution", "updated": "2026-04-15T15:30:06.815212+00:00", "vendors": ["fortinet", "fortinet$PRODUCT$fortiddos-f"]}