Fortinet FortiSandbox contains a critical OS command injection vulnerability (CVSS 9.8) in the web UI allowing unauthenticated remote code execution. Third FortiSandbox CVE exploited in 2026. CISA KEV listed with BOD 26-04 deadline (FCEB agencies).
JULY 16, 2026CVSS 9.8 · CRITICAL · ACTIVELY EXPLOITED5 MIN READ Fortinet FortiSandbox contains an unauthenticated OS command injection vulnerability in its web interface. Fortinet's CNA record assig…