← Home

Second-Order OS Command Injection via JSON Input on start vnc feature

CVEs

CVECVSSCWEExploitation
CVE-2026-25089 9.1 CWE-78: OS Command Injection Not observed in the wild

Affected Products

ProductAffected versionsFixed version
FortiSandbox FortiSandbox 5.2 Not specified by vendor
FortiSandbox FortiSandbox 5.0 Not specified by vendor
FortiSandbox FortiSandbox 4.4 Not specified by vendor
FortiSandbox FortiSandbox 4.2 Not specified by vendor
FortiSandbox Cloud FortiSandbox Cloud 24 Not specified by vendor
FortiSandbox Cloud FortiSandbox Cloud 23 Not specified by vendor
FortiSandbox Cloud FortiSandbox Cloud 5.2 Not specified by vendor
FortiSandbox Cloud FortiSandbox Cloud 5.0 Not specified by vendor
FortiSandbox Cloud FortiSandbox Cloud 4.4 Not specified by vendor
FortiSandbox Cloud FortiSandbox Cloud 4.2 Not specified by vendor
FortiSandbox PaaS FortiSandbox PaaS 5.2 Not specified by vendor
FortiSandbox PaaS FortiSandbox PaaS 5.0 Not specified by vendor
FortiSandbox PaaS FortiSandbox PaaS 4.4 Not specified by vendor
FortiSandbox PaaS FortiSandbox PaaS 4.2 Not specified by vendor