Two critical vulnerabilities (CVE-2026-39808 and CVE-2026-39813) have been disclosed in Fortinet's FortiSandbox product, both rated 9.1 CVSS. The first is an OS command injection flaw allowing unauthenticated RCE via HTTP requests, affecting versions 4.4.0–4.4.8. The second is a path traversal bug in the JRPC API enabling authentication bypass, affecting versions 4.4.0–4.4.8 and 5.0.0–5.0.5. Patches are available (4.4.9+ or 5.0.6+). No active exploitation has been reported yet, but public scanners for both CVEs already exist, raising the urgency to patch immediately.
Sort: