Cyber Resilience

CVE-2026-39815

High

Published: 14 April 2026

Published
14 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 27.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-39815 is a high-severity SQL Injection (CWE-89) vulnerability in Fortinet Fortiddos-F. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39815 is an SQL injection vulnerability (CWE-89) affecting Fortinet FortiDDoS-F versions 7.2.1 through 7.2.2. It arises from improper neutralization of special elements used in an SQL command, which may allow an attacker to execute unauthorized code or commands via crafted HTTP requests. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network without requiring user interaction. By sending specially crafted HTTP requests, the attacker can inject malicious SQL payloads, potentially leading to unauthorized code or command execution on the affected system.

Mitigation details are provided in the Fortinet PSIRT advisory FG-IR-26-119, available at https://fortiguard.fortinet.com/psirt/FG-IR-26-119.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

SQL injection in public-facing Fortinet web interface enables remote exploitation of the application (T1190) and unauthorized code/command execution (T1059) via crafted HTTP requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-49784Same vendor: Fortinet
CVE-2023-37931Same vendor: Fortinet
CVE-2024-54026Same vendor: Fortinet
CVE-2025-61848Same vendor: Fortinet
CVE-2026-21643Same vendor: Fortinet
CVE-2025-59922Same vendor: Fortinet
CVE-2022-29059Same vendor: Fortinet
CVE-2025-25257Same vendor: Fortinet
CVE-2024-55597Same vendor: Fortinet
CVE-2023-40723Same vendor: Fortinet

Affected Assets

fortinet
fortiddos-f
7.2.1 — 7.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of system flaws like this SQL injection vulnerability through vendor-provided patches as detailed in the Fortinet advisory.

prevent

Directly mandates validation of information inputs such as crafted HTTP requests to neutralize special elements and prevent SQL injection attacks.

prevent

Ensures monitoring and implementation of security advisories like Fortinet PSIRT FG-IR-26-119 to address known vulnerabilities promptly.

References