CVE-2026-40688
Published: 14 April 2026
Summary
CVE-2026-40688 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Fortinet Fortiweb. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40688 is an out-of-bounds write vulnerability (CWE-787) affecting Fortinet FortiWeb in versions 8.0.0 through 8.0.3, 7.6.0 through 7.6.6, and 7.4.0 through 7.4.11. This flaw, published on 2026-04-14, carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.
A remote attacker with privileged access can exploit this vulnerability by sending crafted HTTP requests, potentially leading to arbitrary code or command execution on the affected FortiWeb appliance. The attack requires high privileges (PR:H) but has low complexity (AC:L), no user interaction (UI:N), and is accessible over the network (AV:N) without changing scope.
For mitigation details, refer to the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-26-127, which provides guidance on patches and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22808
Vulnerability details
An out-of-bounds write vulnerability [CWE-787] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow a remote privileged attacker to execute arbitrary code or command via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in public-facing FortiWeb appliance allows remote privileged attackers to send crafted HTTP requests for arbitrary code/command execution, directly enabling T1190 (Exploit Public-Facing Application) and facilitating T1059 (Command and Scripting Interpreter).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the out-of-bounds write vulnerability by applying vendor patches as specified in the Fortinet advisory.
Implements memory safeguards like ASLR and DEP to protect against exploitation of out-of-bounds writes leading to arbitrary code execution.
Validates crafted HTTP request inputs to prevent those triggering the out-of-bounds write in FortiWeb.