{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39812", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "state": "PUBLISHED", "assignerShortName": "fortinet", "dateReserved": "2026-04-07T15:24:11.535Z", "datePublished": "2026-04-14T15:38:18.366Z", "dateUpdated": "2026-04-14T16:46:15.629Z"}, "containers": {"cna": {"affected": [{"vendor": "Fortinet", "product": "FortiSandbox", "cpes": ["cpe:2.3:a:fortinet:fortisandbox:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "5.0.0", "lessThanOrEqual": "5.0.4", "status": "affected"}, {"versionType": "semver", "version": "4.4.0", "lessThanOrEqual": "4.4.8", "status": "affected"}, {"versionType": "semver", "version": "4.2.1", "lessThanOrEqual": "4.2.8", "status": "affected"}]}, {"vendor": "Fortinet", "product": "FortiSandbox PaaS", "cpes": ["cpe:2.3:a:fortinet:fortisandboxpaas:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.1:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "version": "5.0.0", "lessThanOrEqual": "5.0.5", "status": "affected"}, {"versionType": "semver", "version": "4.4.0", "lessThanOrEqual": "4.4.8", "status": "affected"}, {"versionType": "semver", "version": "4.2.1", "lessThanOrEqual": "4.2.8", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox PaaS 5.0.0 through 5.0.5, FortiSandbox PaaS 4.4.0 through 4.4.8, FortiSandbox PaaS 4.2 all versions may allow attacker to execute unauthorized code or commands via <insert attack vector here>"}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:18.366Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "Execute unauthorized code or commands", "type": "CWE"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C"}}], "solutions": [{"lang": "en", "value": "Upgrade to FortiSandbox version 5.0.6 or above\nUpgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.6 or above\nUpgrade to FortiSandbox PaaS version 4.4.9 or above"}], "references": [{"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-110", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-110"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39812", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T16:26:08.654637Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:46:15.629Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39812", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T16:26:08.654637Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:37:14.786Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:2.3:a:fortinet:fortisandbox:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiSandbox", "versions": [{"status": "affected", "version": "5.0.0", "versionType": "semver", "lessThanOrEqual": "5.0.4"}, {"status": "affected", "version": "4.4.0", "versionType": "semver", "lessThanOrEqual": "4.4.8"}, {"status": "affected", "version": "4.2.1", "versionType": "semver", "lessThanOrEqual": "4.2.8"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:fortinet:fortisandboxpaas:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.8:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.7:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:fortinet:fortisandboxpaas:4.2.1:*:*:*:*:*:*:*"], "vendor": "Fortinet", "product": "FortiSandbox PaaS", "versions": [{"status": "affected", "version": "5.0.0", "versionType": "semver", "lessThanOrEqual": "5.0.5"}, {"status": "affected", "version": "4.4.0", "versionType": "semver", "lessThanOrEqual": "4.4.8"}, {"status": "affected", "version": "4.2.1", "versionType": "semver", "lessThanOrEqual": "4.2.8"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to FortiSandbox version 5.0.6 or above\nUpgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.6 or above\nUpgrade to FortiSandbox PaaS version 4.4.9 or above"}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-110", "name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-110"}], "descriptions": [{"lang": "en", "value": "A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox PaaS 5.0.0 through 5.0.5, FortiSandbox PaaS 4.4.0 through 4.4.8, FortiSandbox PaaS 4.2 all versions may allow attacker to execute unauthorized code or commands via <insert attack vector here>"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Execute unauthorized code or commands"}]}], "providerMetadata": {"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "shortName": "fortinet", "dateUpdated": "2026-04-14T15:38:18.366Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39812", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:46:15.629Z", "dateReserved": "2026-04-07T15:24:11.535Z", "assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8", "datePublished": "2026-04-14T15:38:18.366Z", "assignerShortName": "fortinet"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox PaaS 5.0.0 through 5.0.5, FortiSandbox PaaS 4.4.0 through 4.4.8, FortiSandbox PaaS 4.2 all versions may allow attacker to execute unauthorized code or commands via <insert attack vector here>"}], "id": "CVE-2026-39812", "lastModified": "2026-04-14T16:16:45.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "psirt@fortinet.com", "type": "Secondary"}]}, "published": "2026-04-14T16:16:45.490", "references": [{"source": "psirt@fortinet.com", "url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-110"}], "sourceIdentifier": "psirt@fortinet.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@fortinet.com", "type": "Primary"}]}

{}

{}