FortiSandbox 4.4.0-4.4.8 OS Command Injection Vulnerability
CVE-2026-39808 Published on April 14, 2026
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
Vulnerability Analysis
CVE-2026-39808 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-39808 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2026-39808
stack.watch emails you whenever new vulnerabilities are published in Fortinet Fortisandbox or Fortinet Fortisandboxpaas. Just hit a watch button to start following.
Affected Versions
Fortinet FortiSandbox:- Version 4.4.0, <= 4.4.8 is affected.
- Version 23.4.4374 is affected.
- Version 23.4.4350 is affected.
- Version 23.3.4329 is affected.
- Version 23.1.4245 is affected.
- Version 22.2.4151 is affected.
- Version 22.2.4134 is affected.
- Version 22.1.4113 is affected.
- Version 21.4.4072 is affected.
- Version 21.3.4055 is affected.