CVE-2026-39808

🗓️ 14 Apr 2026 15:38:02Reported by fortinetType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 22 Views🌐 WEB

CVE-2026-39808: FortiSandbox 4.4.0 through 4.4.8 suffers os command injection enabling code execution.

Reporter	Title	Published	Views	Family All 15
GithubExploit	Exploit for CVE-2026-39808	18 Apr 202609:15	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Fortinet Fortisandbox	21 Apr 202622:21	–	githubexploit
Circl	CVE-2026-39808	14 Apr 202606:20	–	circl
CNNVD	Fortinet FortiSandbox 操作系统命令注入漏洞	14 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-39808	14 Apr 202615:38	–	cvelist
EUVD	EUVD-2026-22338	14 Apr 202618:30	–	euvd
NCSC	vulnerabilities in Fortinet FortiSandbox	15 Apr 202612:23	–	ncsc
Nuclei	Fortinet FortiSandbox - Command Injection	6 Jun 202603:01	–	nuclei
NVD	CVE-2026-39808	14 Apr 202616:16	–	nvd
Packet Storm	📄 Fortinet FortiSandbox 4.4.8 Remote Command Execution	16 Apr 202600:00	–	packetstorm

NVD

Node

fortinet fortisandboxRange4.4.0–4.4.9

[
  {
    "vendor": "Fortinet",
    "product": "FortiSandbox",
    "cpes": [
      "cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "4.4.0",
        "lessThanOrEqual": "4.4.8",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "Fortinet",
    "product": "FortiSandbox PaaS",
    "cpes": [
      "cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4374:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:23.4.4350:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:23.3.4329:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:23.1.4245:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4151:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:22.2.4134:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:22.1.4113:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:21.4.4072:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortisandboxpaas:21.3.4055:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "versions": [
      {
        "version": "23.4.4374",
        "status": "affected"
      },
      {
        "version": "23.4.4350",
        "status": "affected"
      },
      {
        "version": "23.3.4329",
        "status": "affected"
      },
      {
        "version": "23.1.4245",
        "status": "affected"
      },
      {
        "version": "22.2.4151",
        "status": "affected"
      },
      {
        "version": "22.2.4134",
        "status": "affected"
      },
      {
        "version": "22.1.4113",
        "status": "affected"
      },
      {
        "version": "21.4.4072",
        "status": "affected"
      },
      {
        "version": "21.3.4055",
        "status": "affected"
      }
    ]
  }
]

Source	Link
fortiguard	www.fortiguard.fortinet.com/psirt/FG-IR-26-100
github	www.github.com/samu-delucas/CVE-2026-39808

Parameter	Position	Path	Description	CWE
jid	query param	fortisandbox/job-detail/tracer-behavior	OS command injection via jid parameter enabling remote command execution as root	CWE-78

22 Apr 2026 14:17Current

6Medium risk

Vulners AI Score6

CVSS 3.19.8

EPSS0.27939

SSVC

CWE-78