Fortinet Patches Critical Flaws in Forti Vulnerabilities Across

Fortinet has issued an extensive set of security advisories on April 14, 2026, disclosing 11 vulnerabilities across several product lines. Among these, two are rated Critical, two are High, and seven fall into the Medium or Low severity categories.

The disclosures affect FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager, urging enterprise administrators to prioritize patching immediately.

Critical FortiSandbox PaaS Flaws

The most severe vulnerability in this advisory batch is CVE-2026-39808 (FG-IR-26-100), a Critical-rated OS command injection flaw in FortiSandbox and FortiSandbox PaaS.

Rooted in CWE-122 (Improper Neutralization of Special Elements used in an OS Command), this unauthenticated API-accessible vulnerability affects FortiSandbox versions 4.4.4 through 4.4.8 and FortiSandbox PaaS versions up to 23.4.4374.

An unauthenticated remote attacker could exploit this flaw to execute arbitrary OS commands on the underlying system, potentially leading to full device compromise.

Equally alarming is CVE-2026-39813 (FG-IR-26-112), a Critical path traversal vulnerability (CWE-24) in FortiSandbox’s JRPC API.

This unauthenticated flaw affects FortiSandbox versions 5.0.1 through 5.0.5 and may allow attackers to bypass authentication mechanisms entirely and escalate privileges without any valid credentials, making it one of the most dangerous disclosures in this release cycle.

Rated High, CVE-2026-22828 (FG-IR-26-121) describes a heap-based buffer overflow (CWE-122) in the oftpd daemon of FortiAnalyzer Cloud and FortiManager Cloud.

Affecting versions 7.6.2 through 7.6.4, this unauthenticated, network-exposed vulnerability could be leveraged by a remote attacker to execute arbitrary code or crash the affected service. No authentication is required, significantly raising its exploitability profile.

Authentication and Access Control Gaps

CVE-2025-53847 (FG-IR-26-125) exposes a missing authentication for a critical function flaw (CWE-306) in the CAPWAP daemon of FortiOS and FortiSwitchManager.

Rated Medium and accessible without authentication from an internal network, the vulnerability affects FortiOS 7.4.8 through 7.6.3, making it a priority for organizations running segmented enterprise network environments.

CVE-2026-27316 (FG-IR-26-113) reveals an insufficiently protected credentials vulnerability (CWE-522) in FortiSandbox and FortiSandbox PaaS web GUI, specifically within the LDAP configuration page.

Rated Low, this externally accessible authenticated flaw affects FortiSandbox 5.0.1–5.0.5 and PaaS versions up to 23.4.4374, potentially exposing LDAP bind credentials to authenticated users with GUI access.

Path Traversal, Cross-Site Scripting, and SQL Injection Vulnerabilities

Fortinet addressed three separate path traversal vulnerabilities in this release. CVE-2026-25691 (FG-IR-26-115) targets FortiSandbox’s vmimages delete feature, enabling arbitrary directory deletion by authenticated GUI users.

CVE-2025-68649 (FG-IR-26-120) affects FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, and FortiManager Cloud CLI interfaces across the 7.6.x and 7.4.x branches, while CVE-2025-61624 (FG-IR-26-122) impacts FortiOS, FortiPAM, FortiProxy, and FortiSwitchManager CLI components across multiple versions. All three are rated Medium and require authenticated internal access.

Multiple XSS vulnerabilities also appeared in this release. CVE-2026-39812 (FG-IR-26-110) introduces stored XSS risks across FortiSandbox and FortiSandbox PaaS 5.0.1–5.0.5, while CVE-2025-61886 (FG-IR-26-109) describes a reflected XSS flaw in FortiSandbox’s Operation Center interface, accessible to unauthenticated users from an internal position.

Rounding out the disclosures is CVE-2025-61848 (FG-IR-26-111), an SQL injection vulnerability (CWE-89) via the JSON RPC API in FortiAnalyzer and FortiManager versions 7.6.1–7.6.4, as well as their cloud counterparts. Authenticated internal access is required, but successful exploitation could allow attackers to manipulate backend database queries.

Mitigations

Security teams should prioritize patching in the following order based on severity and attack vector:

• Immediately: CVE-2026-39808 and CVE-2026-39813 (Critical, unauthenticated FortiSandbox flaws)
• Urgently: CVE-2026-22828 (High, unauthenticated heap overflow in FortiAnalyzer/FortiManager Cloud)
• High priority: CVE-2025-53847 (Medium, unauthenticated CAPWAP daemon in FortiOS)
• Scheduled patching: All remaining Medium and Low findings across FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager

Administrators should consult Fortinet’s PSIRT portal for specific fixed versions and apply available patches without delay.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.