OS Command Injection in Fortinet FortiSandbox (CVE-2026-25089)

critical-cve-against-infra · active

A critical OS command injection vulnerability in Fortinet FortiSandbox may allow an unauthenticated attacker to execute unauthorized commands via specially crafted HTTP requests. Multiple FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS versions are affected.

Affected packages

Sources

• ghsahttps://github.com/advisories/GHSA-gw24-hwf5-92h2
• nvdhttps://nvd.nist.gov/vuln/detail/CVE-2026-25089
• msrchttps://fortiguard.fortinet.com/psirt/FG-IR-26-141