PSIRT Stored Cross Site Scripting (XSS) in Reports View page Summary An Improper neutralization of input during web page generation ('cross-site scripting') vulnerability [CWE-79] in FortiSOAR may allow an authenticated remote attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP Requests. Version Affected Solution FortiSOAR PaaS 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiSOAR PaaS 7.5 7.5.0 through 7.5.2 Upgrade to 7.5.3 or above FortiSOAR PaaS 7.4 7.4 all versions Migrate to a fixed release FortiSOAR PaaS 7.3 7.3 all versions Migrate to a fixed release FortiSOAR on-premise 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiSOAR on-premise 7.5 7.5.0 through 7.5.2 Upgrade to 7.5.3 or above FortiSOAR on-premise 7.4 7.4 all versions Migrate to a fixed release FortiSOAR on-premise 7.3 7.3 all versions Migrate to a fixed release Acknowledgement Internally discovered and reported by Shripal Rawal of Fortinet PSIRT team. Timeline 2026-04-14: Initial publication IR Number FG-IR-26-117 Published Date Apr 14, 2026 Component GUI Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 4.4 Impact Execute unauthorized code or commands CVE ID CVE-2026-22154 Download CVRF CSAF