CVE-2026-25691 | THREATINT

Description

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests.

PUBLISHED Reserved 2026-02-05 | Published 2026-04-14 | Updated 2026-04-14 | Assigner fortinet

MEDIUM: 6.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H/E:F/RL:O/RC:C

Problem types

Execute unauthorized code or commands

Product status

Default status

unaffected

5.0.4

affected

Default status

unaffected

5.0.4

affected

Default status

unaffected

5.0.0 (semver)

affected

4.4.0 (semver)

affected

4.2.1 (semver)

affected

References

fortiguard.fortinet.com/psirt/FG-IR-26-115

cve.org (CVE-2026-25691)

nvd.nist.gov (CVE-2026-25691)

Download JSON

help @ threatint.eu