PSIRT Arbitrary log file read in administrative interface Summary An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEB UI may allow an authenticated attacker with at least read-only admin permission to read log files via HTTP crafted requests. Version Affected Solution FortiDeceptor 6.3 Not affected Not Applicable FortiDeceptor 6.2 Not affected Not Applicable FortiDeceptor 6.1 Not affected Not Applicable FortiDeceptor 6.0 6.0.0 through 6.0.2 Migrate to a fixed release FortiDeceptor 5.3 5.3.0 through 5.3.3 Migrate to a fixed release FortiDeceptor 5.2 5.2.0 through 5.2.1 Migrate to a fixed release FortiDeceptor 5.1 5.1 all versions Migrate to a fixed release FortiDeceptor 5.0 5.0 all versions Migrate to a fixed release FortiDeceptor 4.3 Not affected Not Applicable FortiDeceptor 4.2 Not affected Not Applicable FortiDeceptor 4.1 Not affected Not Applicable Acknowledgement Internally discovered and reported by Adham El karn of Fortinet Product Security team. Timeline 2026-05-12: Initial publication IR Number FG-IR-26-138 Published Date May 12, 2026 Component GUI Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 4.0 Impact Information disclosure CVE ID CVE-2026-25690 Download CVRF CSAF