Fortinet / FortiGate

Three-year CVE watchlist for Fortinet, FortiGate, FortiOS, FortiProxy, FortiManager and FortiAnalyzer vulnerabilities.

Dedicated CVE watchlist

Fortinet / FortiGate

Three-year CVE watchlist for Fortinet, FortiGate, FortiOS, FortiProxy, FortiManager and FortiAnalyzer vulnerabilities.

Server administration
CategorySwitch between product-focused CVE watchlists.
Showsorted by operational relevance for DataHouse infrastructure
CVE-2026-21643CVSS 9.8CISA KEVFirewall

CVE-2026-21643: Fortinet FortiClient EMS SQL Injection Vulnerability

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Updated: 2026-06-17
CVE-2023-48788CVSS 9.8CISA KEVFirewall

CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Vulnerability

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted...

Updated: 2026-06-17
CVE-2025-25257CVSS 9.8CISA KEVFirewall

CVE-2025-25257: Fortinet FortiWeb SQL Injection Vulnerability

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10...

Updated: 2026-06-17
CVE-2024-47575CVSS 9.8CISA KEVFirewall

CVE-2024-47575: Fortinet FortiManager Missing Authentication Vulnerability

A missing authentication for critical function in FortiManager 7.6.0, FortiManager 7.4.0 through 7.4.4, FortiManager 7.2.0 through 7.2.7, FortiManager 7.0.0 through 7.0.12, FortiManager 6.4.0 through 6.4.14, FortiManager 6.2.0 through 6.2.12, Fortinet Forti...

Updated: 2026-06-17
CVE-2025-64446CVSS 9.8CISA KEVFirewall

CVE-2025-64446: Fortinet FortiWeb Path Traversal Vulnerability

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative comman...

Updated: 2026-06-17
CVE-2024-21762CVSS 9.8CISA KEVFirewall

CVE-2024-21762: Fortinet FortiOS Out-of-Bound Write Vulnerability

A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through ...

Updated: 2026-06-17
CVE-2024-23113CVSS 9.8CISA KEVFirewall

CVE-2024-23113: Fortinet Multiple Products Format String Vulnerability

A use of externally-controlled format string in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, FortiPAM versions 1.2.0, 1.1.0 thro...

Updated: 2026-06-17
CVE-2025-58034CVSS 7.2CISA KEVFirewall

CVE-2025-58034: Fortinet FortiWeb OS Command Injection Vulnerability

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through ...

Updated: 2026-06-17
CVE-2026-39808CVSS 9.8Firewall

CVE-2026-39808: fortisandbox vulnerability

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>

Updated: 2026-06-17
CVE-2025-64155CVSS 9.8Firewall

CVE-2025-64155: fortisiem vulnerability

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7...

Updated: 2026-06-17
CVE-2026-25089CVSS 9.8Firewall

CVE-2026-25089: fortisandbox vulnerability

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5,...

Updated: 2026-06-17
CVE-2026-39813CVSS 9.8Firewall

CVE-2026-39813: fortisandbox vulnerability

A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via specially crafted HTTP requests.

Updated: 2026-06-18
CVE-2024-23108CVSS 10.0Firewall

CVE-2024-23108: fortisiem vulnerability

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API requests.

Updated: 2026-06-17
CVE-2023-34992CVSS 10.0Firewall

CVE-2023-34992: fortisiem vulnerability

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via crafted API requests.

Updated: 2026-06-17
CVE-2025-25256CVSS 9.8Firewall

CVE-2025-25256: fortisiem vulnerability

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3 and before 6.7.9 allows an ...

Updated: 2026-06-17
CVE-2023-34991CVSS 9.8Firewall

CVE-2023-34991: fortiwlm vulnerability

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.0 through 8.4.2 and 8.3.0 through 8.3.2 and 8.2.2 allows attacker to execute unauthorized...

Updated: 2026-06-17
CVE-2023-34990CVSS 9.8Firewall

CVE-2023-34990: fortiwlm vulnerability

A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.

Updated: 2026-06-17
CVE-2025-59719CVSS 9.8Firewall

CVE-2025-59719: fortiweb vulnerability

An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SA...

Updated: 2026-06-17
CVE-2023-34993CVSS 9.8Firewall

CVE-2023-34993: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted http get ...

Updated: 2026-06-17
CVE-2023-25610CVSS 9.8Firewall

CVE-2023-25610: fortiweb vulnerability

A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through ...

Updated: 2026-06-17
CVE-2024-48887CVSS 9.8Firewall

CVE-2024-48887: fortiswitch vulnerability

A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request

Updated: 2026-06-17
CVE-2023-33308CVSS 9.8Firewall

CVE-2023-33308: fortiproxy vulnerability

A stack-based overflow vulnerability [CWE-124] in Fortinet FortiOS version 7.0.0 through 7.0.10 and 7.2.0 through 7.2.3 and FortiProxy version 7.0.0 through 7.0.9 and 7.2.0 through 7.2.2 allows a remote unauthenticated attacker to execute arbitrary code or ...

Updated: 2026-06-17
CVE-2024-27781CVSS 7.1Firewall

CVE-2024-27781: fortisandbox vulnerability

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandb...

Updated: 2026-06-17
CVE-2025-53949CVSS 7.2Firewall

CVE-2025-53949: fortisandbox vulnerability

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4....

Updated: 2026-06-17
CVE-2024-48884CVSS 7.5Firewall

CVE-2024-48884: fortimanager vulnerability

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4...

Updated: 2026-06-17
CVE-2025-53679CVSS 7.2Firewall

CVE-2025-53679: fortisandbox vulnerability

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4....

Updated: 2026-06-17
CVE-2025-52970CVSS 8.1Firewall

CVE-2025-52970: fortiweb vulnerability

A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and ...

Updated: 2026-06-17
CVE-2023-42789CVSS 9.8Firewall

CVE-2023-42789: fortiproxy vulnerability

A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows attacker to execut...

Updated: 2026-06-17
CVE-2024-23109CVSS 10.0Firewall

CVE-2024-23109: fortisiem vulnerability

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API requests.

Updated: 2026-06-17
CVE-2023-36548CVSS 9.8Firewall

CVE-2023-36548: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted http get ...

Updated: 2026-06-17
CVE-2023-36550CVSS 9.8Firewall

CVE-2023-36550: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted http get ...

Updated: 2026-06-17
CVE-2023-36547CVSS 9.8Firewall

CVE-2023-36547: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted http get ...

Updated: 2026-06-17
CVE-2023-36553CVSS 9.8Firewall

CVE-2023-36553: fortisiem vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM version 5.4.0 and 5.3.0 through 5.3.3 and 5.2.5 through 5.2.8 and 5.2.1 through 5.2.2 and 5.1.0 through 5.1.3 and 5.0.0 through 5.0.1 and 4.10...

Updated: 2026-06-17
CVE-2025-52436CVSS 8.8Firewall

CVE-2025-52436: fortisandbox vulnerability

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all ...

Updated: 2026-06-17
CVE-2025-59922CVSS 7.2Firewall

CVE-2025-59922: forticlientems vulnerability

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiClientEMS 7.4.3 through 7.4.4, FortiClientEMS 7.4.0 through 7.4.1, FortiClientEMS 7.2.0 through 7.2.10, FortiClient...

Updated: 2026-06-17
CVE-2026-40688CVSS 7.2Firewall

CVE-2026-40688: fortiweb vulnerability

An out-of-bounds write vulnerability [CWE-787] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow a remote privileged attacker to execute arbitrary code or command via crafted HTTP r...

Updated: 2026-06-17
CVE-2026-25836CVSS 7.2Firewall

CVE-2026-25836: fortisandbox cloud vulnerability

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute una...

Updated: 2026-06-17
CVE-2023-45590CVSS 9.6Linux

CVE-2023-45590: forticlient vulnerability

An improper control of generation of code ('code injection') in Fortinet FortiClientLinux version 7.2.0, 7.0.6 through 7.0.10 and 7.0.3 through 7.0.4 allows attacker to execute unauthorized code or commands via tricking a FortiClientLinux user into visiting...

Updated: 2026-06-17
CVE-2025-47855CVSS 9.8Firewall

CVE-2025-47855

An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS ...

Updated: 2026-06-17
CVE-2026-26083CVSS 9.8Firewall

CVE-2026-26083: fortisandbox vulnerability

A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 al...

Updated: 2026-06-17
CVE-2026-44277CVSS 9.8Firewall

CVE-2026-44277: fortiauthenticator vulnerability

A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via crafted re...

Updated: 2026-06-17
CVE-2023-33300CVSS 5.3Firewall

CVE-2023-33300: fortinac vulnerability

A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiNAC 7.2.1 and earlier, 9.4.3 and earlier allows attacker a limited, unauthorized file access via specifically crafted request in inter-server communicati...

Updated: 2026-06-17
CVE-2025-64447CVSS 8.1Firewall

CVE-2025-64447: fortiweb vulnerability

A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an un...

Updated: 2026-06-17
CVE-2023-42791CVSS 8.8Firewall

CVE-2023-42791: fortimanager vulnerability

A relative path traversal in Fortinet FortiManager version 7.4.0 and 7.2.0 through 7.2.3 and 7.0.0 through 7.0.8 and 6.4.0 through 6.4.12 and 6.2.0 through 6.2.11 allows attacker to execute unauthorized code or commands via crafted HTTP requests.

Updated: 2026-06-17
CVE-2024-23666CVSS 7.5Firewall

CVE-2024-23666: fortianalyzer vulnerability

A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 through 7.2.6 and 7.0.1 through 7.0.6 and 6.4.5 through 6.4.7 and 6.2.5, FortiManager version 7.4.0 through 7.4.1 and 7.2.0 through 7.2.4 ...

Updated: 2026-06-17
CVE-2023-48782CVSS 8.8Firewall

CVE-2023-48782: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 allows attacker to execute unauthorized code or commands via specifically crafted http get request parameters

Updated: 2026-06-17
CVE-2023-29180CVSS 7.5Firewall

CVE-2023-29180: fortiproxy vulnerability

A null pointer dereference in Fortinet FortiOS version 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.12, 6.2.0 through 6.2.14, 6.0.0 through 6.0.16, FortiProxy 7.2.0 through 7.2.3, 7.0.0 through 7.0.10, 2.0.0 through 2.0.12, 1.2.0 through 1.2...

Updated: 2026-06-17
CVE-2024-21755CVSS 8.8Firewall

CVE-2024-21755: fortisandbox vulnerability

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4 allows attacker to execute unauthoriz...

Updated: 2026-06-17
CVE-2024-50567CVSS 7.2Firewall

CVE-2024-50567: fortiweb vulnerability

An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.4.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted input.

Updated: 2026-06-17
CVE-2024-21756CVSS 8.8Firewall

CVE-2024-21756: fortisandbox vulnerability

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.3, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4 allows attacker to execute unauthoriz...

Updated: 2026-06-17
CVE-2023-36549CVSS 8.8Firewall

CVE-2023-36549: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted http get ...

Updated: 2026-06-17
CVE-2023-34986CVSS 8.8Firewall

CVE-2023-34986: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted HTTP get ...

Updated: 2026-06-17
CVE-2023-34989CVSS 8.8Firewall

CVE-2023-34989: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted HTTP get ...

Updated: 2026-06-17
CVE-2023-34988CVSS 8.8Firewall

CVE-2023-34988: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted HTTP get ...

Updated: 2026-06-17
CVE-2023-34987CVSS 8.8Firewall

CVE-2023-34987: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted HTTP get ...

Updated: 2026-06-17
CVE-2023-34985CVSS 8.8Firewall

CVE-2023-34985: fortiwlm vulnerability

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specifically crafted HTTP get ...

Updated: 2026-06-17

Security newsletter

Get new CVE alerts before they become an incident

We send selected infrastructure threats in English, with practical notes for DataHouse environments.

  • DataHouse: server administration and secure cloud
  • Hostilla.pl: hosting and mail services
  • SecDNS.pl: free DNS security layer