Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Fortinet FortiDeceptor: Sensitive Files Can Be Deleted via Malicious HTTP Requests
CVE-2026-25689
Summary
An attacker with admin access can delete sensitive files by crafting special HTTP requests. This could lead to data loss or exposure. Update FortiDeceptor to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| fortinet | fortideceptor | > 4.0.0 , <= 6.0.3 | – |
| fortinet | fortideceptor | 6.2.0 | – |
Original title
An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, ...
Original description
An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.2.0, FortiDeceptor 6.0 all versions, FortiDeceptor 5.3 all versions, FortiDeceptor 5.2 all versions, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions, FortiDeceptor 4.3 all versions, FortiDeceptor 4.2 all versions, FortiDeceptor 4.1 all versions, FortiDeceptor 4.0 all versions may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests.
nvd CVSS3.1
6.5
Vulnerability type
CWE-88
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026