CVE-2026-39808

Name of the Vulnerable Software and Affected Versions FortiSandbox versions 4.4.0 through 4.4.8

Description An OS command injection flaw exists in the JRPC API of FortiSandbox due to improper neutralization of the pipe symbol (|) when processing the jid parameter. This allows an unauthenticated remote attacker to execute arbitrary operating system commands with root privileges by sending a specially crafted GET request. The issue is located at the '/fortisandbox/job-detail/tracer-behavior' endpoint, where the jid variable is passed directly into a system-level shell command without adequate sanitization.

Recommendations Update to FortiSandbox version 4.4.9 or v5.0.0+. Restrict access to ports 443/8443 on the FortiSandbox to trusted administrative IP addresses only. Block all traffic to the '/fortisandbox/job-detail/' path from general internal or external subnets. As a temporary workaround, restrict the use of the jid parameter in the '/fortisandbox/job-detail/tracer-behavior' endpoint.