Path Traversal Vulnerability in Fortinet FortiSandbox Products
CVE-2026-25691

6.2MEDIUM

Key Information:

Vendor: Fortinet
Status: Fortisandbox Paas; Fortisandbox Cloud; Fortisandbox
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-25691?

A path traversal vulnerability exists in Fortinet FortiSandbox products, allowing a privileged attacker with super-admin profile and CLI access to manipulate requested directories. By crafting specific HTTP requests, the attacker can delete arbitrary directories within the system's restricted paths, posing significant risks to data integrity and security.

Affected Version(s)

FortiSandbox 5.0.0 <= 5.0.5

FortiSandbox 4.4.0 <= 4.4.8

FortiSandbox 4.2.1 <= 4.2.8

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-115

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Feb 5, 2026

CVE-2026-25691 Data

JSON