An authenticated SQL injection vulnerability (CVE-2026-39815, CVSSv3 7.9) in the FortiDDoS-F API allows an attacker to execute arbitrary SQL queries via crafted HTTP requests. The vulnerability specifically affects FortiDDoS-F version 7.2.1 through 7.2.2. The fix is to upgrade to version 7.2.3 or above.
PSIRT SQL Injection via API Summary An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiDDoS-F may allow an authenticated attacker to run arbitrary SQL queries on the database by sending crafted HTTP requests. Version Affected Solution FortiDDoS-F 7.2 7.2.1 through 7.2.2 Upgrade to 7.2.3 or above FortiDDoS-F 7.0 Not affected Not Applicable FortiDDoS-F 6.6 Not affected Not Applicable FortiDDoS-F 6.5 Not affected Not Applicable FortiDDoS-F 6.4 Not affected Not Applicable FortiDDoS-F 6.3 Not affected Not Applicable Acknowledgement Internally discovered and reported by David Maciejak of Fortinet Product Security team. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-119 Published Date Apr 14, 2026 Component API Severity High Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 7.9 Impact Execute unauthorized code or commands CVE ID CVE-2026-39815 Download CVRF CSAF