PSIRT OS Command injection in FortiWeb API Summary An OS Command Injection vulnerability [CWE-78] in FortiWeb API may allow an authenticated attacked to execute arbitrary commands via a specialy crafted HTTP request. Version Affected Solution FortiWeb 8.0 8.0.0 through 8.0.1 Upgrade to 8.0.3 or above FortiWeb 7.6 7.6.0 through 7.6.5 Upgrade to 7.6.7 or above FortiWeb 7.4 7.4.0 through 7.4.11 Upgrade to 7.4.12 or above FortiWeb 7.2 7.2.0 through 7.2.12 Upgrade to upcoming 7.2.13 or above FortiWeb 7.0 7.0.0 through 7.0.12 Upgrade to upcoming 7.0.13 or above Workaround: Disable web vulnerability scan feature visibility to prevent use via the GUI: # config system feature-visibility (feature-visibi~i) # set wvs disable (feature-visibi~i) # end Use trusted hosts to limit access to the REST API Acknowledgement Internally discovered and reported by Loic Pantano of Fortinet PSIRT Timeline 2026-03-10: Initial publication IR Number FG-IR-26-088 Published Date Mar 10, 2026 Component API Severity Medium CVSSv3 Score 6.7 Impact Execute unauthorized code or commands CVE ID CVE-2025-66178 Download CVRF CSAF