Cyber Resilience

CVE-2026-39808

CriticalRCE

Published: 14 April 2026

Published
14 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4867 98.7th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2026-39808 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39808 is an OS command injection vulnerability, tracked under CWE-78, that affects Fortinet FortiSandbox versions 4.4.0 through 4.4.8. The flaw stems from improper neutralization of special elements in operating system commands and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted input to trigger arbitrary command execution on the affected appliance, potentially leading to complete system compromise and unauthorized code or command execution.

The Fortinet advisory FG-IR-26-100 and an associated public repository provide further details on the issue and any available remediation steps.

EPSS for the CVE rose from lower values after the April 2026 disclosure to a peak of 0.2794 on 2026-06-03 before receding to the current 0.2276, indicating measurable post-disclosure exploitation interest.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote OS command injection in public-facing FortiSandbox enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-27778Same product: Fortinet Fortisandbox
CVE-2024-52961Same product: Fortinet Fortisandbox
CVE-2025-53949Same product: Fortinet Fortisandbox
CVE-2024-54018Same product: Fortinet Fortisandbox
CVE-2025-52436Same product: Fortinet Fortisandbox
CVE-2026-39813Same product: Fortinet Fortisandbox
CVE-2024-27781Same product: Fortinet Fortisandbox
CVE-2024-52960Same product: Fortinet Fortisandbox
CVE-2025-64155Same vendor: Fortinet
CVE-2025-58034Same vendor: Fortinet

Affected Assets

fortinet
fortisandbox
4.4.0 — 4.4.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted input before it is used in OS commands, blocking the CWE-78 injection vector.

prevent

Mandates timely application of vendor patches that remediate the improper neutralization flaw in FortiSandbox 4.4.0-4.4.8.

prevent

Enforces least privilege on the appliance so that even a successful command injection yields minimal system-level impact.

References