FORTINET on Tuesday released 26 advisories detailing 27 vulnerabilities across its products, including two critical-severity flaws in FortiSandbox. Tracked as CVE-2026-39813, the first critical bug affects the FortiSandbox JRPC API and could allow attackers to bypass authentication, while CVE-2026-39808 is an OS command injection issue that can be exploited for arbitrary code or command execution.
Both defects have a CVSS score of 9.1 and could be exploited without authentication via specially crafted HTTP requests. The company also patched CVE-2026-22828, a high-severity buffer overflow vulnerability in FortiAnalyzer Cloud that could be exploited without authentication for remote code execution or arbitrary command execution.
In addition, two high-severity SQL injection bugs were fixed in FortiDDoS-F and FortiClientEMS, exploitable via crafted requests to run arbitrary SQL queries, with authentication required. Fortinet notes that the remaining defects patched on Tuesday span medium- and low-severity issues including DoS, XSS, information disclosure, and other impacts. 15 April 2026. Written by Ionut Arghire.