THE Known Exploited Vulnerabilities (KEV) catalog lists CVE-2026-21643 as a Fortinet FortiClient EMS SQL injection vulnerability, which may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. The entry notes a related CWE of 89 and states that it is unknown whether it has been used in ransomware campaigns.
Action recommended includes applying mitigations per vendor instructions, following applicable BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable. This vulnerability was added to the KEV catalog on 13 April 2026, with a due date of 16 April 2026. Additional notes provide links to Fortinet’s PSIRT page and the NVD entry for CVE-2026-21643.
In short, organisations using FortiClient EMS should review mitigations promptly and prioritise patching to reduce exposure to this publicly catalogued flaw.