PSIRT XSS in LDAP server option Summary An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox LDAP Server feature may allow an authenticated privileged attacker to execute code via crafted requests. Version Affected Solution FortiSandbox 5.0 5.0.0 through 5.0.2 Upgrade to 5.0.3 or above FortiSandbox 4.4 4.4.0 through 4.4.7 Upgrade to 4.4.8 or above FortiSandbox 4.2 4.2 all versions Migrate to a fixed release FortiSandbox 4.0 4.0 all versions Migrate to a fixed release Fortinet has remediated this issue in FortiSandbox PaaS version 5.0.5. Acknowledgement Discovered during an independent audit commissioned by Fortinet. Timeline 2026-03-10: Initial publication IR Number FG-IR-26-091 Published Date Mar 10, 2026 Component GUI Severity Medium CVSSv3 Score 4.6 Impact Execute unauthorized code or commands CVE ID CVE-2025-53608 Download CVRF CSAF