CVE-2026-39813
Two critical security vulnerabilities, CVE-2026-39808 and CVE-2026-39813, have been identified in Fortinet FortiSandbox versions 4.4.0 through 4.4.8, with CVE-2026-39813 additionally affecting versions 5.0.0 through 5.0.5. These flaws arise from OS command injection and path traversal, types of vulnerabilities that allow attackers to manipulate system commands and directory structures, potentially leading to unauthorized actions such as arbitrary code execution and privilege escalation. In affected versions, an attacker can exploit these vulnerabilities by sending specially crafted HTTP requests, leading to unauthorized code execution or authentication bypass. Notably, both flaws can be exploited by completely unauthenticated remote attackers, requiring no prior privileges or user interaction.
EPSS 0.12% · 30.5th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| FortiSandbox | FortiSandbox 5.0.0 through 5.0.5 | |
| FortiSandbox | FortiSandbox 4.4.0 through 4.4.8 |
Exploit Intelligence
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc)
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc)
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc)
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc)
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc)
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc)
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc)
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc)
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc-repo)
- CVE-2026-39813 - Fortinet Sandbox - Draft (github-poc-repo)
…and 23 more exploits
Timeline
- CVE Published
- Apr 14, 2026 PoC Published
- Apr 14, 2026 PoC Published
- Apr 21, 2026 Security Advisory
- Apr 22, 2026 PoC Published
- May 18, 2026 EPSS Score
- May 19, 2026 EPSS Score
- May 20, 2026 EPSS Score
- May 21, 2026 EPSS Score
- May 22, 2026 EPSS Score
- May 23, 2026 EPSS Score
- May 24, 2026 EPSS Score