PSIRT SQL command injection in administrative portal Summary An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiMail may allow an authenticated privileged attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests. Version Affected Solution FortiMail 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiMail 7.4 7.4.0 through 7.4.5 Upgrade to 7.4.6 or above FortiMail 7.2 7.2.0 through 7.2.8 Upgrade to 7.2.9 or above Acknowledgement Internally discovered and reported by Jaguar Perlas of Fortinet Burnaby InfoSec team. Timeline 2026-05-12: Initial publication IR Number FG-IR-26-132 Published Date May 12, 2026 Component GUI Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 6.3 Impact Execute unauthorized code or commands CVE ID CVE-2025-53681 Download CVRF CSAF