Fortinet Issues Critical Patches for Multiple Vulnerabilities

Severity: High (Score: 72.0)

Sources: Theregister, Heise.De, Cybersecuritynews, www.fortiguard.com, fortiguard.fortinet.com

Summary

Fortinet has released patches for 18 security vulnerabilities across its products, with two critical flaws in FortiSandbox receiving CVSS scores of 9.1. The vulnerabilities, CVE-2026-39808 and CVE-2026-39813, allow unauthenticated attackers to execute arbitrary commands and bypass authentication via crafted HTTP requests. Affected versions include FortiSandbox 4.4.0 to 4.4.8 and 5.0.0 to 5.0.5, with fixes available in versions 4.4.9 and 5.0.6 or newer. Other vulnerabilities include SQL injection risks in FortiDDoS and FortiClient EMS, which also require immediate patching. The vulnerabilities were disclosed on April 14, 2026, and are part of a broader set of advisories issued by Fortinet. Security professionals are advised to check their systems for affected versions and apply the necessary updates. There are currently no reports of active exploitation for these vulnerabilities. Key Points: • Fortinet released patches for 18 vulnerabilities, including two critical flaws in FortiSandbox. • CVE-2026-39808 and CVE-2026-39813 allow unauthenticated remote code execution and authentication bypass. • Affected systems include FortiSandbox versions 4.4.0 to 4.4.8 and 5.0.0 to 5.0.5, with fixes available.

Key Entities

• Sql Injection (attack_type)
• Zero-day Exploit (attack_type)
• Fortinet (company)
• CVE-2026-22828 (cve)
• CVE-2026-35616 (cve)
• CVE-2026-39808 (cve)
• CVE-2026-39809 (cve)
• CVE-2026-39813 (cve)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1190 - Exploit Public-Facing Application (mitre_attack)
• FortiAnalyzer Cloud (platform)
• FortiClient EMS (platform)
• FortiDDoS-F (platform)
• FortiManager Cloud (platform)
• FortiSandbox (platform)
• OS Command Injection (vulnerability)