CVE-2026-39808
Published: 14 April 2026
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2026-39808 is an OS command injection vulnerability (CWE-78) affecting Fortinet FortiSandbox versions 4.4.0 through 4.4.8. The issue arises from improper neutralization of special elements used in an OS command, which may allow an attacker to execute unauthorized code or commands via an unspecified attack vector. Published on 2026-04-14, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation enables arbitrary OS command execution, granting high levels of control over confidentiality, integrity, and availability, potentially leading to complete system compromise.
Fortinet's advisory at https://fortiguard.fortinet.com/psirt/FG-IR-26-100 provides details on the vulnerability. A related GitHub repository at https://github.com/samu-delucas/CVE-2026-39808 is also referenced, offering additional resources for practitioners seeking mitigation or patch information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote OS command injection in public-facing FortiSandbox enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).