Fortinet FortiSandbox: Malicious Files Can Be Deleted

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.7

Fortinet FortiSandbox: Malicious Files Can Be Deleted

CVE-2026-25691

Summary

A security issue in Fortinet FortiSandbox versions 5.0.0 to 5.0.5, 4.4.0 to 4.4.8, and all versions of 4.2, and FortiSandbox Cloud 5.0.4 and FortiSandbox PaaS 5.0.4 allows a skilled attacker to delete files from the system. This could lead to data loss and disrupt the normal functioning of the system. Fortinet has released patches to fix this issue, and you should update your software as soon as possible.

Original title

Original description

A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests.

nvd CVSS3.1 6.7

Vulnerability type

CWE-22 Path Traversal

https://fortiguard.fortinet.com/psirt/FG-IR-26-115

Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026