InfoSecBulletin Cybersecurity for mankind
Fortinet put out a large set of security warnings on April 14, 2026. These warnings cover 11 flaws in different products, with two marked as Critical, two as High, and seven as Medium or Low.
The reports impact FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager, urging business admins to fix the issues immediatly.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
Critical FortiSandbox PaaS Flaws
The worst flaw in this alert is CVE-2026-39808 (FG-IR-26-100), which is a serious OS command injection issue in FortiSandbox and FortiSandbox PaaS.
Rooted in CWE-122 (Improper Neutralization of Special Elements used in an OS Command), this unauthenticated API-accessible vulnerability affects FortiSandbox versions 4.4.4 through 4.4.8 and FortiSandbox PaaS versions up to 23.4.4374.
A remote attacker who isn’t verified could use this flaw to run any commands on the system, which might allow them to take over the device.
CVE-2026-39813 (FG-IR-26-112) is also serious. It is a big path traversal problem (CWE-24) in the JRPC API of FortiSandbox.
his flaw can affect FortiSandbox versions 5.0.1 to 5.0.5. It lets attackers skip authentication checks and gain higher access without needing real credentials. This makes it one of the worst security issues in this release.
Rated High, CVE-2026-22828 (FG-IR-26-121) talks about a heap-based buffer overflow (CWE-122) in the oftpd program of FortiAnalyzer Cloud and FortiManager Cloud.
This security issue affects versions 7.6.2 to 7.6.4. It can be used by someone on the internet to run harmful code or crash the service. No login is needed, which makes it easier to exploit.
Authentication and Access Control Gaps
CVE-2025-53847 (FG-IR-26-125) shows that a key function is missing authentication in the CAPWAP daemon of FortiOS and FortiSwitchManager.
Rated Medium and easy to access without login from an internal network, the issue impacts FortiOS versions 7.4.8 to 7.6.3. This is important for companies with separate network systems.
CVE-2026-27316 (FG-IR-26-113) shows a weak protection problem with credentials (CWE-522) in FortiSandbox and FortiSandbox PaaS web interface, particularly on the LDAP setup page.
Rated Low, this flaw can be accessed from outside and needs a login. It affects FortiSandbox versions 5.0.1 to 5.0.5 and PaaS versions up to 23.4.4374. It may expose LDAP bind credentials to logged-in users who have GUI access.
Path Traversal, Cross-Site Scripting, and SQL Injection Vulnerabilities
Path Traversal, Cross-Site Scripting, and SQL Injection Risks Fortinet fixed three path traversal problems in this update. CVE-2026-25691 (FG-IR-26-115) affects FortiSandbox’s vmimages delete function, allowing logged-in GUI users to delete any directory.
CVE-2025-68649 (FG-IR-26-120) affects FortiAnalyzer, FortiAnalyzer Cloud, FortiManager, and FortiManager Cloud CLI systems in the 7.6.x and 7.4.x versions. CVE-2025-61624 (FG-IR-26-122) impacts FortiOS, FortiPAM, FortiProxy, and FortiSwitchManager CLI parts across different versions. All three have a Medium rating and need user login from inside the network.
Multiple XSS security issues were found in this release. CVE-2026-39812 (FG-IR-26-110) brings stored XSS risks in FortiSandbox and FortiSandbox PaaS versions 5.0.1 to 5.0.5. CVE-2025-61886 (FG-IR-26-109) points out a reflected XSS problem in FortiSandbox’s Operation Center interface, which can be reached by users without authentication from inside.
CVE-2025-61848 (FG-IR-26-111) is an SQL injection problem (CWE-89) found in the JSON RPC API of FortiAnalyzer and FortiManager versions 7.6.1–7.6.4, including the cloud versions. Users need to be logged in to access it, but if attackers succeed, they could change database queries.
Mitigations
Security teams should patch in this order based on how serious the issues are and how they can be attacked. Administrators should check Fortinet’s PSIRT portal for fixed versions and apply patches right away.
