Fortisoarpaas Fortinet Fortisoarpaas

  1. Vendors
  2. Fortinet
  3. Fortisoarpaas

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Fortinet Fortisoarpaas.

By the Year

In 2026 there have been 8 vulnerabilities in Fortinet Fortisoarpaas with an average score of 5.2 out of ten. Last year, in 2025 Fortisoarpaas had 2 security vulnerabilities published. That is, 6 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 1.20

Year Vulnerabilities Average Score
2026 8 5.15
2025 2 6.35

It may take a day or so for new Fortisoarpaas vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Fortinet Fortisoarpaas Security Vulnerabilities

Path traversal via File Content Extract in FortiSOAR PaaS <7.7
CVE-2026-22573 6.2 - Medium - April 14, 2026

An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5 all versions, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions.

Directory traversal

Improper Auth. in FortiSOAR 7.57.6.3 via 2FA Replay
CVE-2026-23708 6.7 - Medium - April 14, 2026

A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.

authentification

FortiSOAR 7.x SSRF (CWE-918) Before 7.6.4 Allowed Auth Attacker
CVE-2025-59809 4.1 - Medium - April 14, 2026

A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests.

SSRF

FortiSOAR 7.3-7.6.3 Cleartxt Sensitive Data Exposure
CVE-2026-22155 6.2 - Medium - April 14, 2026

A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow attacker to information disclosure via <insert attack vector here>

Cleartext Transmission of Sensitive Information

Cleartext Password Exposure in FortiSOAR 7.47.6.3 PaaS/OnPrem
CVE-2026-21742 5.4 - Medium - April 14, 2026

A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to view cleartext password in response for Secure Message Exchange and Radius queries, if configured

Cleartext Transmission of Sensitive Information

FortiSOAR 7.4-7.6.4 LDAP: Authenticated Password Disclosure
CVE-2026-22574 4.1 - Medium - April 14, 2026

A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve Service account password via server address modification in LDAP configuration.

Storing Passwords in a Recoverable Format

FortiSOAR PaaS/On-Prem XSS in Web UI <=7.6.3 via Malformed Input
CVE-2026-22154 4.4 - Medium - April 14, 2026

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP Requests.

XSS

Recoverable Passwords in Fortinet FortiSOAR PaaS & On-Prem 7.3-7.6.4
CVE-2026-22576 4.1 - Medium - April 14, 2026

A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve passwords for multiple installed connectors via server address modification in connector configuration.

Storing Passwords in a Recoverable Format

FortiSOAR PaaS 7.3-7.6.2 Password Reset without Auth
CVE-2025-59808 6.5 - Medium - December 09, 2025

An unverified password change vulnerability [CWE-620] vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an attacker who has already gained access to a victim's user account to reset the account credentials without being prompted for the account's password

Unverified Password Change

FortiSOAR PaaS/On-Prem IAC (Info Disclosure) 7.3-7.6
CVE-2025-59810 6.2 - Medium - December 09, 2025

An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow information disclosure to an authenticated attacker via crafted requests

Authorization

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Fortinet Fortisoarpaas or by Fortinet? Click the Watch button to subscribe.

Fortinet
Vendor

Fortinet Fortisoarpaas
Product

subscribe