PSIRT Reflected XSS in Operation Center Summary An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiSandbox and FortiSandbox Cloud may allow an attacker to perform an XSS attack via crafted HTTP requests. Version Affected Solution FortiSandbox 5.0 5.0.0 through 5.0.4 Upgrade to 5.0.5 or above FortiSandbox 4.4 Not affected Not Applicable FortiSandbox 4.2 Not affected Not Applicable FortiSandbox PaaS 5.0 5.0.0 through 5.0.4 Upgrade to 5.0.5 or above FortiSandbox PaaS 4.4 Not affected Not Applicable FortiSandbox PaaS 4.2 Not affected Not Applicable Acknowledgement Internally discovered and reported by William Hsu from Fortinet InfoSec team. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-109 Published Date Apr 14, 2026 Component GUI Severity Medium Discovered Internal Attack Type Unauthenticated Known Exploited No CVSSv3 Score 4.9 Impact Execute unauthorized code or commands CVE ID CVE-2025-61886 Download CVRF CSAF