Vulnerability Database / CVE-2025-52436 CVE-2025-52436: Fortinet FortiSandbox XSS Vulnerability CVE-2025-52436 is a cross-site scripting flaw in Fortinet FortiSandbox that enables unauthenticated attackers to execute commands via crafted requests. This article covers technical details, affected versions, and mitigation. Published : February 13, 2026 CVE-2025-52436 Overview An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability (CWE-79) has been identified in Fortinet FortiSandbox. This vulnerability allows an unauthenticated attacker to execute commands via crafted requests, potentially leading to complete compromise of affected systems. Critical Impact Unauthenticated remote attackers can exploit this XSS vulnerability to execute arbitrary commands on affected FortiSandbox appliances, potentially compromising the security infrastructure and any connected systems. Affected Products Fortinet FortiSandbox 5.0.0 through 5.0.1 Fortinet FortiSandbox 4.4.0 through 4.4.7 Fortinet FortiSandbox 4.2 all versions Fortinet FortiSandbox 4.0 all versions Discovery Timeline 2026-02-10 - CVE-2025-52436 published to NVD 2026-02-10 - Last updated in NVD database Technical Details for CVE-2025-52436 Vulnerability Analysis This Cross-Site Scripting (XSS) vulnerability in Fortinet FortiSandbox represents a significant security risk due to its ability to allow command execution without authentication. The vulnerability stems from improper neutralization of user-supplied input during web page generation, which is particularly dangerous in security appliances like FortiSandbox that are designed to analyze potentially malicious content. The attack can be initiated remotely over the network and requires user interaction (such as clicking a malicious link or visiting a compromised page). Once exploited, an attacker can achieve high impact across confidentiality, integrity, and availability of the affected system. Root Cause The root cause of this vulnerability lies in insufficient input validation and output encoding within the FortiSandbox web interface. When user-controlled data is rendered in web pages without proper sanitization, attackers can inject malicious scripts that execute in the context of authenticated users' browsers. This CWE-79 vulnerability indicates that the application fails to properly neutralize special characters that could be interpreted as script commands. Attack Vector The attack vector is network-based, requiring an unauthenticated attacker to craft malicious requests targeting the FortiSandbox web interface. The attacker can deliver the exploit through various methods including: Crafting malicious URLs containing XSS payloads and tricking administrators into clicking them Embedding malicious scripts in content that gets processed by FortiSandbox Leveraging the XSS vulnerability to escalate privileges and execute system commands The vulnerability allows command execution, which elevates this from a typical stored or reflected XSS issue to one with potential for full system compromise. Attackers could leverage this to exfiltrate sensitive data from the security appliance, modify security configurations, or use the compromised FortiSandbox as a pivot point for further network attacks. Detection Methods for CVE-2025-52436 Indicators of Compromise Unexpected HTTP requests to FortiSandbox web interface containing encoded script tags or JavaScript event handlers Unusual administrative actions or configuration changes on FortiSandbox appliances Web server logs showing requests with suspicious URL parameters containing XSS payloads such as <script> , javascript: , or event handlers like onerror Evidence of command execution from the FortiSandbox web server process Detection Strategies Deploy Web Application Firewall (WAF) rules to detect and block common XSS payload patterns targeting FortiSandbox Enable detailed logging on FortiSandbox web interfaces and monitor for anomalous request patterns Implement network traffic analysis to identify suspicious inbound requests containing script injection attempts Use endpoint detection and response (EDR) solutions to monitor for unexpected process execution on FortiSandbox appliances Monitoring Recommendations Monitor FortiSandbox system logs for unusual authentication events or privilege escalations Implement alerting for configuration changes made through the web interface outside of maintenance windows Track network connections originating from FortiSandbox appliances to detect potential command-and-control communication Review access logs for requests from unexpected geographic locations or IP addresses How to Mitigate CVE-2025-52436 Immediate Actions Required Apply the latest security patches from Fortinet for affected FortiSandbox versions immediately Restrict access to the FortiSandbox web management interface to trusted networks only using firewall rules Implement multi-factor authentication for administrative access whe