PSIRT Null Pointer Dereference in Anti-Defacement feature Summary A NULL Pointer Dereference vulnerability [CWE-476] in FortiWeb may allow an authenticated attacker to crash the HTTP daemon via crafted HTTP requests. Version Affected Solution FortiWeb 8.0 8.0.0 through 8.0.2 Upgrade to 8.0.3 or above FortiWeb 7.6 7.6.0 through 7.6.6 Upgrade to 7.6.7 or above FortiWeb 7.4 7.4 all versions Migrate to a fixed release FortiWeb 7.2 7.2 all versions Migrate to a fixed release FortiWeb 7.0 7.0 all versions Migrate to a fixed release Acknowledgement Fortinet is pleased to thank Sina Kheirkhah (SinSinology) of watchTowr (watchTowrcyber) for reporting this vulnerability under responsible disclosure. Timeline 2026-03-10: Initial publication IR Number FG-IR-26-089 Published Date Mar 10, 2026 Component GUI Severity Low CVSSv3 Score 2.5 Impact Denial of service CVE ID CVE-2026-24641 Download CVRF CSAF