VDB

CVE-2026-39808

CVE-2026-39808 PUBLISHED CVSS 9.800000190734863 CRITICAL

Two critical security vulnerabilities, CVE-2026-39808 and CVE-2026-39813, have been identified in Fortinet FortiSandbox versions 4.4.0 through 4.4.8, with CVE-2026-39813 additionally affecting versions 5.0.0 through 5.0.5. These flaws arise from OS command injection and path traversal, types of vulnerabilities that allow attackers to manipulate system commands and directory structures, potentially leading to unauthorized actions such as arbitrary code execution and privilege escalation. In affected versions, an attacker can exploit these vulnerabilities by sending specially crafted HTTP requests, leading to unauthorized code execution or authentication bypass. Notably, both flaws can be exploited by completely unauthenticated remote attackers, requiring no prior privileges or user interaction.

EPSS 27.94% · 96.6th percentile

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
27.94%
96.6th percentile

Affected Products

VendorProductVersions
FortiSandboxFortiSandbox 5.0.0 through 5.0.5
FortiSandboxFortiSandbox 4.4.0 through 4.4.8

Exploit Intelligence

…and 90 more exploits

Timeline

  • CVE Published
  • Apr 14, 2026 PoC Published
  • Apr 14, 2026 PoC Published
  • Apr 16, 2026 PoC Published
  • Apr 21, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›