PT-2026-32687 · Fortinet · Fortisandbox

Published

2026-04-14

·

Updated

2026-07-08

·

CVE-2026-39808

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions FortiSandbox versions 4.4.0 through 4.4.8
Description An OS command injection flaw exists in the JRPC API due to improper neutralization of the pipe symbol (|) when processing the jid parameter. This allows an unauthenticated remote attacker to execute arbitrary code with root privileges by sending a specially crafted HTTP GET request to the /fortisandbox/job-detail/tracer-behavior endpoint. The issue occurs because the backend script passes the jid variable directly into a system-level shell command without adequate sanitization.
Recommendations Update FortiSandbox to version 4.4.9 or 5.0.0 and later. Restrict access to ports 443 and 8443 to trusted administrative IP addresses only. Block all traffic to the /fortisandbox/job-detail/ path from general internal or external subnets. As a temporary mitigation, avoid using the jid parameter in the /fortisandbox/job-detail/tracer-behavior endpoint.

Exploit

Fix

RCE

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-05445
CVE-2026-39808

Affected Products

Fortisandbox