PSIRT Arbitrary directory delete on vmimages delete feature Summary An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS and FortiSandbox Cloud WEB UI may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests. Version Affected Solution FortiSandbox 5.2 Not affected Not Applicable FortiSandbox 5.0 5.0.0 through 5.0.5 Upgrade to 5.0.6 or above FortiSandbox 4.4 4.4.0 through 4.4.8 Upgrade to 4.4.9 or above FortiSandbox 4.2 4.2 all versions Migrate to a fixed release FortiSandbox Cloud 24 Not affected Not Applicable FortiSandbox Cloud 23 Not affected Not Applicable FortiSandbox Cloud 5.0 5.0.4 Fortinet remediated this issue in 5.0.5 and hence customers do not need to perform any action. FortiSandbox Cloud 4.4 Not affected Not Applicable FortiSandbox Cloud 4.2 Not affected Not Applicable FortiSandbox PaaS 5.0 5.0.4 Upgrade to 5.0.5 or above FortiSandbox PaaS 4.4 Not affected Not Applicable FortiSandbox PaaS 4.2 Not affected Not Applicable Acknowledgement Internally discovered and reported by Adham El karn of Fortinet Product Security team. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-115 Published Date Apr 14, 2026 Component GUI Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 6.2 Impact Execute unauthorized code or commands CVE ID CVE-2026-25691 Download CVRF CSAF