Fortinet Fortideceptor
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Fortinet Fortideceptor.
By the Year
In 2026 there have been 1 vulnerability in Fortinet Fortideceptor with an average score of 6.0 out of ten. Last year, in 2025 Fortideceptor had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Fortideceptor in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.50.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 6.00 |
| 2025 | 2 | 4.50 |
| 2024 | 0 | 0.00 |
| 2023 | 2 | 7.05 |
| 2022 | 3 | 7.00 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 0.00 |
It may take a day or so for new Fortideceptor vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Fortinet Fortideceptor Security Vulnerabilities
FortiDeceptor 6.x Arg Injection via CLI HTTP Requests Allow Delete Files (CVE-2026-25689)
CVE-2026-25689
6 - Medium
- March 10, 2026
An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.
Argument Injection
FortiDeceptor 3.x-5.3.0 Reflected XSS in Recovery Endpoints
CVE-2024-35280
5.1 - Medium
- January 15, 2025
A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiDeceptor 5.3.0, FortiDeceptor 5.2.0, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions, FortiDeceptor 3.3 all versions, FortiDeceptor 3.2 all versions, FortiDeceptor 3.1 all versions, FortiDeceptor 3.0 all versions may allow an attacker to perform a reflected cross-site scripting attack in the recovery endpoints
XSS
FortiDeceptor Improper Access Control v56.0 CVE202445326
CVE-2024-45326
3.9 - Low
- January 14, 2025
An Improper Access Control vulnerability [CWE-284] vulnerability in Fortinet FortiDeceptor 6.0.0, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an authenticated attacker with none privileges to perform operations on the central management appliance via crafted requests.
Authorization
FortiSandbox 4.x Improper Privilege Mgmt Enables Authenticated API Abuse
CVE-2022-27487
8.8 - High
- April 11, 2023
A improper privilege management in Fortinet FortiSandbox version 4.2.0 through 4.2.2, 4.0.0 through 4.0.2 and before 3.2.3 and FortiDeceptor version 4.1.0, 4.0.0 through 4.0.2 and before 3.3.3 allows a remote authenticated attacker to perform unauthorized API calls via crafted HTTP or HTTPS requests.
Improper Privilege Management
FortiDeceptor <3.1: Unrestricted Auth Attempts Causing DoS via HTTP Login
CVE-2023-26209
5.3 - Medium
- March 09, 2023
A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiDeceptor 3.1.x and before allows a remote unauthenticated attacker to partially exhaust CPU and memory via sending numerous HTTP requests to the login form.
Improper Restriction of Excessive Authentication Attempts
FortiSandbox/FortiDeceptor: Unlogged Auth Attempts (CWE778) 3.13.1.5, 4.04.0.2
CVE-2022-30305
7.5 - High
- December 06, 2022
An insufficient logging [CWE-778] vulnerability in FortiSandbox versions 4.0.0 to 4.0.2, 3.2.0 to 3.2.3 and 3.1.0 to 3.1.5 and FortiDeceptor versions 4.2.0, 4.1.0 through 4.1.1, 4.0.0 through 4.0.2, 3.3.0 through 3.3.3, 3.2.0 through 3.2.2,3.1.0 through 3.1.1 and 3.0.0 through 3.0.2 may allow a remote attacker to repeatedly enter incorrect credentials without causing a log entry, and with no limit on the number of failed authentication attempts.
FortiDeceptor mgmt interface XSS 4.2.0 via lure ID
CVE-2022-38373
5.4 - Medium
- November 02, 2022
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiDeceptor management interface 4.2.0, 4.1.0 through 4.1.1, 4.0.2 may allow an authenticated user to perform a cross site scripting (XSS) attack via sending requests with specially crafted lure resource ID.
XSS
Multiple relative path traversal vulnerabilities [CWE-23] in FortiDeceptor management interface 1.0.0 through 3.2.x, 3.3.0 through 3.3.2, 4.0.0 through 4.0.1 may
CVE-2022-30302
8.1 - High
- July 19, 2022
Multiple relative path traversal vulnerabilities [CWE-23] in FortiDeceptor management interface 1.0.0 through 3.2.x, 3.3.0 through 3.3.2, 4.0.0 through 4.0.1 may allow a remote and authenticated attacker to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests.
Directory traversal
An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain
CVE-2020-6644
- June 22, 2020
An insufficient session expiration vulnerability in FortiDeceptor 3.0.0 and below allows an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID via other, hypothetical attacks.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Fortinet Fortideceptor or by Fortinet? Click the Watch button to subscribe.
