CVE-2026-39808
Published: 14 April 2026
Summary
CVE-2026-39808 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39808 is an OS command injection vulnerability, tracked under CWE-78, that affects Fortinet FortiSandbox versions 4.4.0 through 4.4.8. The flaw stems from improper neutralization of special elements in operating system commands and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply crafted input to trigger arbitrary command execution on the affected appliance, potentially leading to complete system compromise and unauthorized code or command execution.
The Fortinet advisory FG-IR-26-100 and an associated public repository provide further details on the issue and any available remediation steps.
EPSS for the CVE rose from lower values after the April 2026 disclosure to a peak of 0.2794 on 2026-06-03 before receding to the current 0.2276, indicating measurable post-disclosure exploitation interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22338
Vulnerability details
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection in public-facing FortiSandbox enables exploitation of public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input before it is used in OS commands, blocking the CWE-78 injection vector.
Mandates timely application of vendor patches that remediate the improper neutralization flaw in FortiSandbox 4.4.0-4.4.8.
Enforces least privilege on the appliance so that even a successful command injection yields minimal system-level impact.