{"api_version":"1","generated_at":"2026-04-23T05:59:51+00:00","cve":"CVE-2026-25691","urls":{"html":"https://cve.report/CVE-2026-25691","api":"https://cve.report/api/cve/CVE-2026-25691.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-25691","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-25691"},"summary":{"title":"CVE-2026-25691","description":"A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests.","state":"PUBLISHED","assigner":"fortinet","published_at":"2026-04-14 16:16:37","updated_at":"2026-04-22 18:55:51"},"problem_types":["CWE-22","CWE-22 Execute unauthorized code or commands"],"metrics":[{"version":"3.1","source":"psirt@fortinet.com","type":"Secondary","score":"6.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H","baseScore":6.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"6.2","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H/E:F/RL:O/RC:C","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.2,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H/E:F/RL:O/RC:C","version":"3.1"}}],"references":[{"url":"https://fortiguard.fortinet.com/psirt/FG-IR-26-115","name":"https://fortiguard.fortinet.com/psirt/FG-IR-26-115","refsource":"psirt@fortinet.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-25691","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25691","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox PaaS","version":"affected 5.0.4","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox Cloud","version":"affected 5.0.4","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox","version":"affected 5.0.0 5.0.5 semver","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox","version":"affected 4.4.0 4.4.8 semver","platforms":[]},{"source":"CNA","vendor":"Fortinet","product":"FortiSandbox","version":"affected 4.2.1 4.2.8 semver","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Fortinet remediated this issue in FortiSandbox Cloud version 5.0.5 and hence customers do not need to perform any action.\nUpgrade to upcoming  FortiSandbox version 5.2.0 or above\nUpgrade to FortiSandbox version 5.0.6 or above\nUpgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.5 or above","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"25691","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"fortinet","cpe5":"fortisandbox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"25691","cve":"CVE-2026-25691","epss":"0.000520000","percentile":"0.162430000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:41"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-25691","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-14T16:34:33.306644Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-14T16:46:16.085Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"cpes":["cpe:2.3:a:fortinet:fortisandboxpaas:5.0.4:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","product":"FortiSandbox PaaS","vendor":"Fortinet","versions":[{"status":"affected","version":"5.0.4"}]},{"cpes":["cpe:2.3:a:fortinet:fortisandboxcloud:5.0.4:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","product":"FortiSandbox Cloud","vendor":"Fortinet","versions":[{"status":"affected","version":"5.0.4"}]},{"cpes":["cpe:2.3:a:fortinet:fortisandbox:5.0.5:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:5.0.4:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:5.0.3:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*","cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","product":"FortiSandbox","vendor":"Fortinet","versions":[{"lessThanOrEqual":"5.0.5","status":"affected","version":"5.0.0","versionType":"semver"},{"lessThanOrEqual":"4.4.8","status":"affected","version":"4.4.0","versionType":"semver"},{"lessThanOrEqual":"4.2.8","status":"affected","version":"4.2.1","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.2,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H/E:F/RL:O/RC:C","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"Execute unauthorized code or commands","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-14T15:38:16.406Z","orgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","shortName":"fortinet"},"references":[{"name":"https://fortiguard.fortinet.com/psirt/FG-IR-26-115","url":"https://fortiguard.fortinet.com/psirt/FG-IR-26-115"}],"solutions":[{"lang":"en","value":"Fortinet remediated this issue in FortiSandbox Cloud version 5.0.5 and hence customers do not need to perform any action.\nUpgrade to upcoming  FortiSandbox version 5.2.0 or above\nUpgrade to FortiSandbox version 5.0.6 or above\nUpgrade to FortiSandbox version 4.4.9 or above\nUpgrade to FortiSandbox PaaS version 5.0.5 or above"}]}},"cveMetadata":{"assignerOrgId":"6abe59d8-c742-4dff-8ce8-9b0ca1073da8","assignerShortName":"fortinet","cveId":"CVE-2026-25691","datePublished":"2026-04-14T15:38:16.406Z","dateReserved":"2026-02-05T08:56:55.794Z","dateUpdated":"2026-04-14T16:46:16.085Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-14 16:16:37","lastModifiedDate":"2026-04-22 18:55:51","problem_types":["CWE-22","CWE-22 Execute unauthorized code or commands"],"metrics":{"cvssMetricV31":[{"source":"psirt@fortinet.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H","baseScore":6.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.5}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.0","versionEndExcluding":"4.4.9","matchCriteriaId":"B8AB5361-2D05-4368-95CC-20BFED00AEB9"},{"vulnerable":true,"criteria":"cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.0","versionEndExcluding":"5.0.6","matchCriteriaId":"3AAEF316-2134-4398-911C-E7532CD3AFF2"},{"vulnerable":true,"criteria":"cpe:2.3:a:fortinet:fortisandbox_cloud:5.0.4:*:*:*:*:*:*:*","matchCriteriaId":"E5E86B19-95E8-4107-85DC-EFE47225418C"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"25691","Ordinal":"1","Title":"CVE-2026-25691","CVE":"CVE-2026-25691","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"25691","Ordinal":"1","NoteData":"A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests.","Type":"Description","Title":"CVE-2026-25691"}]}}}