← Home
Second-Order OS Command Injection via JSON Input on start vnc feature
Source: fortinet / FG-IR-26-141
— original advisory
Published: 2026-06-09
· Last updated: 2026-06-09
· Vendor severity: Not rated by vendor
CVEs
| CVE | CVSS | CWE | Exploitation |
| CVE-2026-25089 |
9.1 |
CWE-78: OS Command Injection |
Not observed in the wild |
Affected Products
| Product | Affected versions | Fixed version |
| FortiSandbox |
FortiSandbox 5.2 |
Not specified by vendor |
| FortiSandbox |
FortiSandbox 5.0 |
Not specified by vendor |
| FortiSandbox |
FortiSandbox 4.4 |
Not specified by vendor |
| FortiSandbox |
FortiSandbox 4.2 |
Not specified by vendor |
| FortiSandbox Cloud |
FortiSandbox Cloud 24 |
Not specified by vendor |
| FortiSandbox Cloud |
FortiSandbox Cloud 23 |
Not specified by vendor |
| FortiSandbox Cloud |
FortiSandbox Cloud 5.2 |
Not specified by vendor |
| FortiSandbox Cloud |
FortiSandbox Cloud 5.0 |
Not specified by vendor |
| FortiSandbox Cloud |
FortiSandbox Cloud 4.4 |
Not specified by vendor |
| FortiSandbox Cloud |
FortiSandbox Cloud 4.2 |
Not specified by vendor |
| FortiSandbox PaaS |
FortiSandbox PaaS 5.2 |
Not specified by vendor |
| FortiSandbox PaaS |
FortiSandbox PaaS 5.0 |
Not specified by vendor |
| FortiSandbox PaaS |
FortiSandbox PaaS 4.4 |
Not specified by vendor |
| FortiSandbox PaaS |
FortiSandbox PaaS 4.2 |
Not specified by vendor |