Cross-Site Scripting Vulnerability in Fortinet FortiSOAR Products
CVE-2026-22154

4.4MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortisoar Paas; Fortisoar On-premise
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-22154?

A cross-site scripting (XSS) vulnerability exists in Fortinet's FortiSOAR products, allowing an authenticated remote attacker to execute stored XSS attacks through specially crafted HTTP requests. This can lead to unauthorized data access, manipulation, or exposure of sensitive user information. Affected versions include FortiSOAR PaaS and on-premise releases from 7.3 to 7.6.3. Timely updates and patches are critical to safeguarding against exploitation.

Affected Version(s)

FortiSOAR on-premise 7.6.0 <= 7.6.3

FortiSOAR on-premise 7.5.0 <= 7.5.2

FortiSOAR on-premise 7.4.0 <= 7.4.5

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-117

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Jan 6, 2026

CVE-2026-22154 Data

JSON