PSIRT Out-Of-Bounds Write in administrative interface Summary An out-of-bounds write vulnerability [CWE-787] in FortiWeb CGI daemon may allow a remote privileged attacker to execute arbitrary code or command via crafted HTTP requests. Version Affected Solution FortiWeb 8.0 8.0.0 through 8.0.3 Upgrade to 8.0.4 or above FortiWeb 7.6 7.6.0 through 7.6.6 Upgrade to 7.6.7 or above FortiWeb 7.4 7.4.0 through 7.4.11 Upgrade to 7.4.12 or above FortiWeb 7.2 Not affected Not Applicable FortiWeb 7.0 Not affected Not Applicable Acknowledgement Fortinet is pleased to thank Jason McFadyen of TrendAI Research for reporting this vulnerability under responsible disclosure. Timeline 2026-04-15: Initial publication IR Number FG-IR-26-127 Published Date Apr 15, 2026 Component GUI Severity Medium Discovered External Attack Type Authenticated Known Exploited No CVSSv3 Score 6.7 Impact Execute unauthorized code or commands CVE ID CVE-2026-40688 Download CVRF CSAF