Multiple authenticated OS Command Injections via API
CVSSv3 Score: 6.7
An OS command injection vulnerabtility in FortiExtender API may allow an authenticated attacker to execute unauthorized code...
Reflected XSS in HA cluster
CVSSv3 Score: 5.3
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FortiSandbox may allow an...
Current password requirement bypass for self password change
CVSSv3 Score: 6.5
An Unverified Password Change vulnerability in FortiSOAR may allow an attacker who gained access to a victim's...
OS command injection in multiple endpoints
CVSSv3 Score: 7.0
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in FortiSandbox...
Capacity to forge authentication cookies
CVSSv3 Score: 7.1
A reliance on cookie without validation or integrity checking vulnerability in FortiWeb may allow an unauthenticated attacker...
OS command injection in GUI backup options
CVSSv3 Score: 6.9
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in FortiSandbox...
Insertion of sensitive information into REST API logs
CVSSv3 Score: 6.3
An insertion of sensitive information into log file vulnerability in FortiOS, FortiProxy, FortiPAM and FortiSRA may allow...
Broken access control on API endpoints
CVSSv3 Score: 6.2
An Improper access control vulnerability in FortiSOAR may allow Information disclosure to an authenticated attacker via crafted...
Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass
CVSSv3 Score: 9.1
An Improper Verification of Cryptographic Signature vulnerability in FortiOS, FortiWeb, FortiProxy and FortiSwitchManager mayallow an unauthenticated attacker to...
Read-only admin could obtain admin configuration secrets
CVSSv3 Score: 2.6
An improper access control vulnerability in FortiAuthenticator Web UI may allow an authenticated attacker with at least...
Latest article
Oracle PeopleSoft Zero-Day
What is the Attack? Google Threat Intelligence Group (GTIG) and Mandiant...
Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection
A new and stealthy backdoor named Mistic has been quietly targeting corporate networks since April 2026, disguising itself using the names and appearance of...
Restrict AWS Management Console access to expected networks with sign-in resource-based policies and RCPs
Amazon Web Services (AWS) recently announced support for resource-based policies and resource control policies (RCPs) for AWS Sign-In. By using resource-based policies and RCPs,...
Healthcare Vendor Xsolis Reports Breach Affecting 1.4M People
Xsolis confirmed a healthcare data breach affecting nearly 1.4 million people after a phishing attack exposed health and identity data.
The post Healthcare Vendor Xsolis...
