PSIRT OS command injection on vmimages update feature Summary An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox Cloud WEB UI may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests. Version Affected Solution FortiSandbox Cloud 24 Not affected Not Applicable FortiSandbox Cloud 23 Not affected Not Applicable FortiSandbox Cloud 5.0 5.0.4 Fortinet remediated this issue in 5.0.5 and hence customers do not need to perform any action. Acknowledgement Internally discovered and reported by Adham El karn of Fortinet Product Security team. Timeline 2026-03-10: Initial publication IR Number FG-IR-26-096 Published Date Mar 10, 2026 Component GUI Severity Medium CVSSv3 Score 6.7 Impact Execute unauthorized code or commands CVE ID CVE-2026-25836 Download CVRF CSAF