PSIRT Reflected Cross Site Scripting (XSS) in error page Summary An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') [CWE-79] in FortiSIEM's error page may allow a remote unauthenticated attacker to provide arbitrary data enabling a social engineering attack via spoofed URL parameters. Version Affected Solution FortiSIEM 7.5 Not affected Not Applicable FortiSIEM 7.4 7.4.0 Upgrade to 7.4.1 or above FortiSIEM 7.3 7.3.0 through 7.3.4 Upgrade to 7.3.5 or above FortiSIEM 7.2 Not affected Not Applicable FortiSIEM 7.1 Not affected Not Applicable FortiSIEM 7.0 Not affected Not Applicable FortiSIEM 6.7 Not affected Not Applicable FortiSIEM 6.6 Not affected Not Applicable FortiSIEM 6.5 Not affected Not Applicable FortiSIEM 6.4 Not affected Not Applicable Acknowledgement Discovered during an independent audit commissioned by Fortinet Timeline 2026-03-10: Initial publication IR Number FG-IR-26-077 Published Date Mar 10, 2026 Component GUI Severity Medium CVSSv3 Score 4.1 Impact Execute unauthorized code or commands CVE ID CVE-2026-25972 Download CVRF CSAF