CVE-2026-25089
Critical · CVSS 9.8Fortinet FortiSandbox — Unauthenticated OS Command Injection (CWE-78)
- CVSS
- 9.8
- nvd
- EPSS
- —
- KEV
- No
- Class
- other
- CWE-78
Description
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
Search profile — drives PoC discovery
Symbols HTTP request handlercommand injectionos command executionunauthenticated endpointFG-IR-26-141
Keywords CVE-2026-25089FortiSandboxOS command injectionunauthenticated RCEFG-IR-26-141FortiSandbox CloudFortiSandbox PaaSHTTP request command injectionFortinet RCE
Versions: FortiSandbox 5.0.0–5.0.5, 4.4.0–4.4.8, 4.2 all versions; FortiSandbox Cloud 5.0.4–5.0.5; FortiSandbox PaaS 5.0.4–5.0.5
Candidate PoCs (2) — discovered, not yet vetted or ranked
- HORKimhab/CVE-2026-25089★ 5nomi_sec
- 0xBlackash/CVE-2026-25089★ 2nomi_sec
Recall-favoring discovery (nomi-sec + trickest). Vetting + ranking is the Stage-4 scorer.
References
Status: enriched · ingested 2026-06-12T00:00:30.000Z · profiled 2026-06-16T18:19:23.017Z