Fortinet FortiClientEMS: Unauthorized Code Execution via SQL Injection

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.7

Fortinet FortiClientEMS: Unauthorized Code Execution via SQL Injection

CVE-2026-39809

Summary

Certain versions of Fortinet FortiClientEMS are vulnerable to a SQL injection attack, which could allow an attacker to execute unauthorized code or commands. This could potentially lead to unauthorized access to sensitive data or disruption of system functionality. Fortinet has released patches for affected versions, and it's recommended to update to the latest version as soon as possible.

Original title

Original description

A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5, FortiClientEMS 7.2.0 through 7.2.12, FortiClientEMS 7.0 all versions may allow attacker to execute unauthorized code or commands via sending crafted requests

nvd CVSS3.1 6.7

Vulnerability type

CWE-89 SQL Injection

https://fortiguard.fortinet.com/psirt/FG-IR-26-102

Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026