Critical Fortinet FortiSandbox Vulnerabilities Patched — CVE-2026-39813 and CVE-2026-39808 (CVSS 9.8)

Summary

Fortinet has released emergency patches for two critical vulnerabilities in its FortiSandbox product, both scoring CVSS 9.8. These flaws allow unauthenticated attackers to bypass authentication and execute arbitrary code remotely — no credentials required.

CVE-2026-39813 is a path traversal vulnerability in the FortiSandbox JRPC API. Attackers can send specially crafted HTTP requests to bypass authentication entirely. It affects FortiSandbox versions 5.0.0–5.0.5 and 4.4.0–4.4.8. Fixes are available in versions 5.0.6+ and 4.4.9+.

CVE-2026-39808 is an OS command injection flaw that allows unauthenticated attackers to execute unauthorized commands via crafted HTTP requests. It affects FortiSandbox 4.4.0–4.4.8 and is fixed in 4.4.9+. While no active exploitation has been reported yet, security researchers have already published scanners for both CVEs — meaning weaponization is likely imminent.

Source

Help Net Security · SecurityWeek · The Register

Commentary

Two CVSS 9.8 vulnerabilities, both unauthenticated, both allowing code execution — this is a patch-now situation. FortiSandbox is a security product designed to detect advanced threats via sandboxed analysis. The irony of a sandbox security appliance being the attack vector is not lost on anyone.

Fortinet products have been a recurring target in 2026 (FortiClient EMS, FortiGate, and now FortiSandbox), and threat actors are known to weaponize Fortinet CVEs rapidly. With scanners already publicly available, the window between patch release and active exploitation is shrinking fast. If you are running FortiSandbox, the only acceptable action is immediate patching. No exceptions.