{"uuid": "1c963de4-780f-49a4-b38a-014a112af144", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-39813", "type": "seen", "source": "https://t.me/brutsecurity/2650", "content": "\ud83d\udea8 Fortinet just disclosed CVE-2026-39808 and CVE-2026-39813 - 2 critical vulnerabilities affecting FortiSandbox. No active exploitation itw reported as of yet.\n\nScan your infrastructure to find vulnerable instances:\nCVE-2026-39808: https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39808.yaml\nCVE-2026-39813: https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39813.yaml\n\nCVE-2026-39808 (CVSS 9.1):\nAn Improper Neutralization of Special Elements used in an OS Command ('OS command injection') vulnerability [CWE-78] in FortiSandbox may allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests.\n\nCVE-2026-39813 (CVSS 9.1):\nA Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.\n\nPatches are available as per vendor advisories:\nhttps://fortiguard.fortinet.com/psirt/FG-IR-26-112\nhttps://fortiguard.fortinet.com/psirt/FG-IR-26-100", "creation_timestamp": "2026-07-09T03:00:05.433962Z"}