VDB
CVE-2026-21643
CVE-2026-21643
PUBLISHED
KEV
CVSS 9.800000190734863 CRITICAL
CVE-2026-21643: FortiClient EMS (Critical, Actively Exploited) Only FortiClient EMS 7.4.4 is affected (versions 7.2 and 8.0 are not). An attacker can send a crafted GET request to /api/v1/init_consts with a malicious Site header to inject arbitrary SQL. This can lead to data exfiltration, database manipulation, or OS command execution through chaining. Single-site (non-multi-tenant) deployments are reported as not affected.
EPSS 62.52% · 98.4th percentile
Risk Scores
CVSS v3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
62.52%
98.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fortinet | Fortinet FortiClientEMS 7.4.4 |
Timeline
- May 14, 2021 CrowdSec Sighting
- Mar 9, 2023 CrowdSec Sighting
- Apr 5, 2023 CrowdSec Sighting
- Aug 10, 2023 CrowdSec Sighting
- May 30, 2024 CrowdSec Sighting
- May 31, 2024 CrowdSec Sighting
- Jul 31, 2024 CrowdSec Sighting
- Jun 19, 2025 CrowdSec Sighting
- Oct 8, 2025 CrowdSec Sighting
- Oct 20, 2025 CrowdSec Sighting
- Feb 6, 2026 EPSS Score
- Feb 6, 2026 CVE Published
References
- https://ccb.belgium.be/advisories/warning-forticlient-ems-sql-injection-cve-2026-21643-patch-immediately advisory
- https://fortiguard.fortinet.com/psirt/FG-IR-25-1142 vendor
- https://bishopfox.com/blog/cve-2026-21643-pre-authentication-sql-injection-in-forticlient-ems-7-4-4 technical
- https://www.helpnetsecurity.com/2026/03/30/forticlient-ems-cve-2026-21643-reported-exploitation/ technical
- https://www.cve.org/CVERecord?id=CVE-2026-21643 technical