An unauthenticated OS command injection (CWE-78) vulnerability (CVE-2026-39808, CVSS 9.1) in FortiSandbox allows remote code execution via crafted HTTP requests to an API endpoint. Affected versions are FortiSandbox 4.4.0 through 4.4.8, while version 5.0 is not impacted. The solution is to upgrade to FortiSandbox version 4.4.9 or above.
PSIRT OS Command Injection through API endpoint Summary An Improper Neutralization of Special Elements used in an OS Command ('OS command injection') vulnerability [CWE-78] in FortiSandbox may allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. Version Affected Solution FortiSandbox 5.0 Not affected Not Applicable FortiSandbox 4.4 4.4.0 through 4.4.8 Upgrade to 4.4.9 or above FortiSanbox PaaS 5.0 is not impacted by the issue and hence customers do not need to perform any action. Acknowledgement Fortinet is pleased to thank Samuel de Lucas Maroto from KPMG Spain for reporting this vulnerability under responsible disclosure. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-100 Published Date Apr 14, 2026 Component API Severity Critical Discovered Internal Attack Type Unauthenticated Known Exploited No CVSSv3 Score 9.1 Impact Execute unauthorized code or commands CVE ID CVE-2026-39808 Download CVRF CSAF