What is CVE-2026-25089?

CVE-2026-25089 is a critical-severity vulnerability, classified under OS Command Injection. CVSS score: 9.8/10. Published 2026-06-09.

How severe is CVE-2026-25089?

Critical severity. CVSS v3 base score is 9.8 out of 10.

CVE-2026-25089

CVE-2026-25089

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5…

Vulnerability class: Command Injection (OS Command Injection)

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

psirt@fortinet.com

Frequently asked questions

What is CVE-2026-25089?: CVE-2026-25089 is a critical-severity vulnerability, classified under OS Command Injection. CVSS score: 9.8/10. Published 2026-06-09.
How severe is CVE-2026-25089?: Critical severity. CVSS v3 base score is 9.8 out of 10.