CVE-2026-39813
CRITICAL · 9.8 EPSS 23.6%Real vuln, credible claim of in-the-wild use, yet weak corroboration and bundled messaging muffle signal.
What: Path traversal vulnerability in Fortinet FortiSandbox 4.4.0–5.0.5 (CVSS 9.8 CRITICAL) allowing privilege escalation; attack vector details incomplete in NVD.
Why it matters: Social chatter reports active exploitation within 24 hours of patch release (April 2026), with IOCs and mass attacks cited. However, CVE is not KEV-listed and EPSS remains low (0.24). Posts bundle three vulnerabilities together, conflating signal; no confirmed PoC or independent defender triage visible.
Where it's seen: Journalist coverage (Help Net Security, regional security blogs), threat intel aggregators citing "active exploitation" and IOCs, but no technical deep-dive, no PoC repository link, no vendor emergency advisory evident in posts.
RISK: ELEVATED — Critical CVSS, claimed active exploitation, but KEV absence and low EPSS temper urgency.
Description
A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via <insert attack vector here>
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Affected versions
- fortinet/fortisandbox
- 4.4.0 – < 4.4.9
- 5.0.0 – < 5.0.6