PSIRT User controlled SQL commands Summary An improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability [CWE-89] in FortiNDR may allow an authenticated attacker to execute arbitrary SQL commands on selected databases and tables via specifically crafted HTTP requests. Version Affected Solution FortiNDR 7.6 7.6.0 through 7.6.2 Upgrade to 7.6.3 or above FortiNDR 7.4 7.4.0 through 7.4.9 Upgrade to 7.4.10 or above FortiNDR 7.2 7.2 all versions Migrate to a fixed release FortiNDR 7.1 7.1 all versions Migrate to a fixed release FortiNDR 7.0 7.0 all versions Migrate to a fixed release Acknowledgement Internally discovered and reported by Dipanjan Das. Timeline 2026-05-12: Initial publication IR Number FG-IR-26-134 Published Date May 12, 2026 Component GUI Severity Medium Discovered Internal Attack Type Authenticated Known Exploited No CVSSv3 Score 5.1 Impact Execute unauthorized code or commands CVE ID CVE-2026-25088 Download CVRF CSAF