PSIRT Multiple Stored XSS Summary An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox and FortiSandbox Cloud may allow a privileged attacker to perform a stored XSS attack via crafted HTTP requests. Version Affected Solution FortiSandbox 5.0 5.0.0 through 5.0.5 Upgrade to 5.0.6 or above FortiSandbox 4.4 4.4.0 through 4.4.8 Upgrade to 4.4.9 or above FortiSandbox 4.2 4.2 all versions Migrate to a fixed release FortiSandbox PaaS 5.0 5.0.0 through 5.0.5 Upgrade to 5.0.6 or above FortiSandbox PaaS 4.4 4.4.0 through 4.4.8 Upgrade to 4.4.9 or above FortiSandbox PaaS 4.2 4.2 all versions Migrate to a fixed release Acknowledgement Internally discovered and reported by Adamya Varma from Fortinet InfoSec team. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-110 Published Date Apr 14, 2026 Component GUI Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 4.3 Impact Execute unauthorized code or commands CVE ID CVE-2026-39812 Download CVRF CSAF