CVE-2026-39808

🗓️ 14 Apr 2026 15:38:02Reported by fortinetType

cve🔗 web.nvd.nist.gov📰️ 8 Media mentions👁 60 Views🌐 WEB

CVE-2026-39808: FortiSandbox 4.4.0 through 4.4.8 suffers os command injection enabling code execution.

Reporter	Title	Published	Views	Family All 20
GithubExploit	Exploit for CVE-2026-39808	18 Apr 202609:15	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Fortinet Fortisandbox	18 Jun 202620:32	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Fortinet Fortisandbox	17 Jun 202601:42	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Fortinet Fortisandbox	21 Apr 202622:21	–	githubexploit
Circl	CVE-2026-39808	14 Apr 202606:20	–	circl
CNNVD	Fortinet FortiSandbox 操作系统命令注入漏洞	14 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-39808	14 Apr 202615:38	–	cvelist
EUVD	EUVD-2026-22338	14 Apr 202618:30	–	euvd
NCSC	vulnerabilities in Fortinet FortiSandbox	15 Apr 202612:23	–	ncsc
Nuclei	Fortinet FortiSandbox - Command Injection	28 Jun 202615:08	–	nuclei

NVD

Node

fortinet fortisandboxRange4.4.0–4.4.9

[
  {
    "vendor": "Fortinet",
    "product": "FortiSandbox",
    "cpes": [
      "cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "4.4.0",
        "lessThanOrEqual": "4.4.8",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Fortinet",
    "product": "FortiSandbox PaaS",
    "cpes": [
      "cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4374:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4350:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:23.3.4329:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:23.1.4245:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4151:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4134:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:22.1.4113:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:21.4.4072:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:21.3.4055:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "versions": [
      {
        "version": "23.4.4374",
        "status": "affected"
      },
      {
        "version": "23.4.4350",
        "status": "affected"
      },
      {
        "version": "23.3.4329",
        "status": "affected"
      },
      {
        "version": "23.1.4245",
        "status": "affected"
      },
      {
        "version": "22.2.4151",
        "status": "affected"
      },
      {
        "version": "22.2.4134",
        "status": "affected"
      },
      {
        "version": "22.1.4113",
        "status": "affected"
      },
      {
        "version": "21.4.4072",
        "status": "affected"
      },
      {
        "version": "21.3.4055",
        "status": "affected"
      }
    ]
  }
]

Source	Link
fortiguard	www.fortiguard.fortinet.com/psirt/FG-IR-26-100
github	www.github.com/samu-delucas/CVE-2026-39808

Parameter	Position	Path	Description	CWE
jid	query param	fortisandbox/job-detail/tracer-behavior	Remote command execution via unsafely handling of jid parameter leading to OS command injection	CWE-78

17 Jun 2026 10:42Current

6Medium risk

Vulners AI Score6

CVSS 3.19.8

EPSS0.48668

SSVC