CVE-2026-39813
Published: 14 April 2026
Description
A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via <insert attack vector here>
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing this path traversal vulnerability through application of Fortinet patches as recommended in FG-IR-26-112.
SI-10 mandates validation of inputs to block malicious path traversal sequences like '../filedir' in the unspecified attack vector.
AC-6 enforces least privilege to limit the scope and impact of privilege escalation even if path traversal succeeds.
Security SummaryAI
CVE-2026-39813 is a path traversal vulnerability (CWE-24) in Fortinet FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8. Published on 2026-04-14, the issue involves '../filedir' sequences and may allow an attacker to achieve escalation of privilege via an unspecified attack vector. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H), marking it as critical due to its high potential impact on confidentiality, integrity, and availability.
The vulnerability can be exploited by a remote, unauthenticated attacker over the network with low attack complexity and no user interaction required. Successful exploitation enables privilege escalation, allowing the attacker to gain elevated access on the affected FortiSandbox instance.
Fortinet's PSIRT advisory (FG-IR-26-112) at https://fortiguard.fortinet.com/psirt/FG-IR-26-112 provides further details on the vulnerability, including recommended mitigations and patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability (CWE-24) in public-facing FortiSandbox enables remote unauthenticated exploitation (T1190) leading directly to privilege escalation (T1068).