PSIRT Protected hostname bypass Summary An authentication bypass by spoofing [CWE-290] vulnerability in FortiWeb protected hostname feature may allow a remote unauthenticated attacker to bypass hostname restrictions via a specially crafted request. Version Affected Solution FortiWeb 8.0 Not affected Not Applicable FortiWeb 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiWeb 7.4 7.4.0 through 7.4.8 Upgrade to 7.4.9 or above FortiWeb 7.2 7.2 all versions Migrate to a fixed release FortiWeb 7.0 7.0 all versions Migrate to a fixed release Timeline 2026-03-10: Initial publication IR Number FG-IR-26-097 Published Date Mar 10, 2026 Component OTHERS Severity Medium CVSSv3 Score 5.0 Impact Improper access control CVE ID CVE-2025-48840 Download CVRF CSAF