Cyber Posture

CVE-2026-39813

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39813 is a critical-severity Path Traversal: '../filedir' (CWE-24) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely flaw remediation, directly addressing this path traversal vulnerability through application of Fortinet patches as recommended in FG-IR-26-112.

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of inputs to block malicious path traversal sequences like '../filedir' in the unspecified attack vector.

AC-6 Least Privilege partial match
prevent

AC-6 enforces least privilege to limit the scope and impact of privilege escalation even if path traversal succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Path traversal vulnerability (CWE-24) in public-facing FortiSandbox enables remote unauthenticated exploitation (T1190) leading directly to privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via <insert attack vector here>

Deeper analysisAI

CVE-2026-39813 is a path traversal vulnerability (CWE-24) in Fortinet FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8. Published on 2026-04-14, the issue involves '../filedir' sequences and may allow an attacker to achieve escalation of privilege via an unspecified attack vector. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H), marking it as critical due to its high potential impact on confidentiality, integrity, and availability.

The vulnerability can be exploited by a remote, unauthenticated attacker over the network with low attack complexity and no user interaction required. Successful exploitation enables privilege escalation, allowing the attacker to gain elevated access on the affected FortiSandbox instance.

Fortinet's PSIRT advisory (FG-IR-26-112) at https://fortiguard.fortinet.com/psirt/FG-IR-26-112 provides further details on the vulnerability, including recommended mitigations and patches.

Details

CWE(s)
CWE-24

Affected Products

fortinet
fortisandbox
4.4.0 — 4.4.9 · 5.0.0 — 5.0.6

CVEs Like This One

CVE-2024-45328Same product: Fortinet Fortisandbox
CVE-2025-52436Same product: Fortinet Fortisandbox
CVE-2024-27778Same product: Fortinet Fortisandbox
CVE-2024-52961Same product: Fortinet Fortisandbox
CVE-2026-39808Same product: Fortinet Fortisandbox
CVE-2024-52960Same product: Fortinet Fortisandbox
CVE-2024-27781Same product: Fortinet Fortisandbox
CVE-2024-54018Same product: Fortinet Fortisandbox
CVE-2021-26105Same product: Fortinet Fortisandbox
CVE-2024-54027Same product: Fortinet Fortisandbox

References