Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-24474

Summary
Assigner-fortinet
Assigner Org ID-6abe59d8-c742-4dff-8ce8-9b0ca1073da8
Published At-08 Jul, 2025 | 14:41
Updated At-08 Jul, 2025 | 20:41
Rejected At-
Credits

An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiManager Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiAnalyzer 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; and FortiAnalyzer Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker with high privilege to extract database information via crafted requests.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:fortinet
Assigner Org ID:6abe59d8-c742-4dff-8ce8-9b0ca1073da8
Published At:08 Jul, 2025 | 14:41
Updated At:08 Jul, 2025 | 20:41
Rejected At:
â–¼CVE Numbering Authority (CNA)

An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiManager Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiAnalyzer 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; and FortiAnalyzer Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker with high privilege to extract database information via crafted requests.

Affected Products
Vendor
Fortinet, Inc.Fortinet
Product
FortiManager
CPEs
  • cpe:2.3:o:fortinet:fortimanager:7.6.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.4.6:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.4.5:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.4.4:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.4.3:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.4.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.4.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.10:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.9:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.8:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.7:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.6:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.5:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.4:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.3:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.14:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.13:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.12:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.11:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.10:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.9:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.8:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.7:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.6:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.5:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.4:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.3:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:7.0.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.15:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.14:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.13:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.12:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.11:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.10:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.9:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.8:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.7:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.6:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.5:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.4:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.3:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortimanager:6.4.0:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 7.6.0 through 7.6.1 (semver)
  • From 7.4.0 through 7.4.6 (semver)
  • From 7.2.0 through 7.2.10 (semver)
  • From 7.0.0 through 7.0.14 (semver)
  • From 6.4.0 through 6.4.15 (semver)
Vendor
Fortinet, Inc.Fortinet
Product
FortiAnalyzer
CPEs
  • cpe:2.3:o:fortinet:fortianalyzer:7.6.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.4.6:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.4.5:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.4.4:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.4.3:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.4.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.4.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.4.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.10:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.9:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.8:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.7:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.6:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.5:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.4:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.3:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.2.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.14:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.13:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.12:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.11:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.10:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.9:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.8:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.7:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.6:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.5:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.4:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.3:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:7.0.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.15:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.14:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.13:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.12:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.11:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.10:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.9:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.8:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.7:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.6:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.5:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.4:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.3:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.2:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.1:*:*:*:*:*:*:*
  • cpe:2.3:o:fortinet:fortianalyzer:6.4.0:*:*:*:*:*:*:*
Default Status
unaffected
Versions
Affected
  • From 7.6.0 through 7.6.1 (semver)
  • From 7.4.0 through 7.4.6 (semver)
  • From 7.2.0 through 7.2.10 (semver)
  • From 7.0.0 through 7.0.14 (semver)
  • From 6.4.0 through 6.4.15 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-89Execute unauthorized code or commands
Type: CWE
CWE ID: CWE-89
Description: Execute unauthorized code or commands
Metrics
VersionBase scoreBase severityVector
3.12.6LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C
Version: 3.1
Base score: 2.6
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Please upgrade to FortiManager version 7.6.2 or above Please upgrade to FortiManager version 7.4.7 or above Please upgrade to FortiAnalyzer version 7.6.2 or above Please upgrade to FortiAnalyzer version 7.4.7 or above Please upgrade to FortiAnalyzer Cloud version 7.6.2 or above Please upgrade to FortiAnalyzer Cloud version 7.4.7 or above Please upgrade to FortiManager Cloud version 7.6.2 or above Please upgrade to FortiManager Cloud version 7.4.7 or above

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://fortiguard.fortinet.com/psirt/FG-IR-24-437
N/A
Hyperlink: https://fortiguard.fortinet.com/psirt/FG-IR-24-437
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@fortinet.com
Published At:08 Jul, 2025 | 15:15
Updated At:22 Jul, 2025 | 18:11

An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiManager Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiAnalyzer 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; and FortiAnalyzer Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker with high privilege to extract database information via crafted requests.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.12.7LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 2.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CPE Matches
Fortinet, Inc.
fortinet
>>fortianalyzer>>Versions from 6.4.0(inclusive) to 7.4.7(exclusive)
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortianalyzer>>Versions from 7.6.0(inclusive) to 7.6.2(exclusive)
cpe:2.3:a:fortinet:fortianalyzer:*:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortianalyzer_cloud>>Versions from 6.4.1(inclusive) to 7.4.7(exclusive)
cpe:2.3:a:fortinet:fortianalyzer_cloud:*:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortimanager>>Versions from 6.4.0(inclusive) to 7.4.7(exclusive)
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortimanager>>Versions from 7.6.0(inclusive) to 7.6.2(exclusive)
cpe:2.3:a:fortinet:fortimanager:*:*:*:*:*:*:*:*
Fortinet, Inc.
fortinet
>>fortimanager_cloud>>Versions from 6.4.1(inclusive) to 7.4.7(exclusive)
cpe:2.3:a:fortinet:fortimanager_cloud:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-89Primarypsirt@fortinet.com
CWE ID: CWE-89
Type: Primary
Source: psirt@fortinet.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://fortiguard.fortinet.com/psirt/FG-IR-24-437psirt@fortinet.com
Vendor Advisory
Hyperlink: https://fortiguard.fortinet.com/psirt/FG-IR-24-437
Source: psirt@fortinet.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

87Records found
CVE-2024-55593
Matching Score-10
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-10
Assigner-Fortinet, Inc.
CVSS Score-2.6||LOW
EPSS-0.21% / 43.60%
||
7 Day CHG+0.01%
Published-14 Jan, 2025 | 14:08
Updated-03 Feb, 2025 | 22:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWeb versions 6.3.17 through 7.6.1 allows attacker to gain information disclosure via crafted SQL queries

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwebFortiWeb
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-31495
Matching Score-10
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-10
Assigner-Fortinet, Inc.
CVSS Score-3.9||LOW
EPSS-0.27% / 50.47%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 14:31
Updated-02 Jan, 2025 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.0.0 through 7.0.6 and version 7.2.0 allows privileged user to obtain unauthorized information via the report download functionality.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiportalFortiPortalfortiportal
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-31514
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-2.6||LOW
EPSS-0.04% / 12.38%
||
7 Day CHG~0.00%
Published-14 Oct, 2025 | 15:23
Updated-14 Jan, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Insertion of Sensitive Information into Log File vulnerability [CWE-532] in FortiOS 7.6.0 through 7.6.3, 7.4 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an attacker with at least read-only privileges to retrieve sensitive 2FA-related information via observing logs or via diagnose command.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiosfortiproxyFortiProxyFortiOS
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2026-27316
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-2.5||LOW
EPSS-0.03% / 6.74%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 15:38
Updated-17 Apr, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A insufficiently protected credentials vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4 all versions, FortiSandbox PaaS 5.0.1 through 5.0.5 may allow an authenticathed administrator to read LDAP server credentials via client-side inspection.

Action-Not Available
Vendor-Fortinet, Inc.
Product-FortiSandboxFortiSandbox PaaS
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-38377
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.16% / 37.31%
||
7 Day CHG~0.00%
Published-25 Nov, 2022 | 15:47
Updated-07 Nov, 2023 | 03:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper access control vulnerability [CWE-284] in FortiManager 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.7, 6.2.0 through 6.2.9, 6.0.0 through 6.0.11 and FortiAnalyzer 7.2.0, 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.0 through 6.2.10, 6.0.0 through 6.0.12 may allow a remote and authenticated admin user assigned to a specific ADOM to access other ADOMs information such as device information and dashboard information.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortimanagerFortiManagerFortiAnalyzer
CWE ID-CWE-284
Improper Access Control
CVE-2024-45323
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.20% / 41.56%
||
7 Day CHG~0.00%
Published-10 Sep, 2024 | 14:37
Updated-20 Sep, 2024 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper access control vulnerability [CWE-284] in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include information related to other organizations.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiedrmanagerFortiEDR Manager
CWE ID-CWE-284
Improper Access Control
CVE-2025-59923
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-2.6||LOW
EPSS-0.04% / 13.72%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 17:18
Updated-14 Jan, 2026 | 09:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiauthenticatorFortiAuthenticator
CWE ID-CWE-284
Improper Access Control
CVE-2025-57823
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-2.6||LOW
EPSS-0.04% / 11.59%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 17:18
Updated-14 Jan, 2026 | 09:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiauthenticatorFortiAuthenticator
CWE ID-CWE-425
Direct Request ('Forced Browsing')
CVE-2025-46777
Matching Score-8
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-8
Assigner-Fortinet, Inc.
CVSS Score-2.2||LOW
EPSS-0.22% / 44.16%
||
7 Day CHG~0.00%
Published-28 May, 2025 | 07:56
Updated-04 Jun, 2025 | 15:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A insertion of sensitive information into log file in Fortinet FortiPortal versions 7.4.0, versions 7.2.0 through 7.2.5, and versions 7.0.0 through 7.0.9 may allow an authenticated attacker with at least read-only admin permissions to view encrypted secrets via the FortiPortal System Log.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiportalFortiPortal
CWE ID-CWE-532
Insertion of Sensitive Information into Log File
CVE-2023-48788
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-9.3||CRITICAL
EPSS-94.08% / 99.91%
||
7 Day CHG-0.05%
Published-12 Mar, 2024 | 15:09
Updated-24 Oct, 2025 | 12:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-04-15||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlient_enterprise_management_serverFortiClientEMSforticlient_enterprise_management_serverFortiClient EMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-25257
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-9.6||CRITICAL
EPSS-17.23% / 95.04%
||
7 Day CHG~0.00%
Published-17 Jul, 2025 | 15:10
Updated-26 Feb, 2026 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2025-08-08||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwebFortiWebFortiWeb
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-26114
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.17% / 78.65%
||
7 Day CHG-0.76%
Published-06 Apr, 2022 | 09:15
Updated-25 Oct, 2024 | 13:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiWAN before 4.5.9 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwanFortinet FortiWAN
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-39815
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-7.9||HIGH
EPSS-0.08% / 22.80%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 15:38
Updated-17 Apr, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-FortiDDoS-F
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-39809
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.02% / 5.57%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 15:05
Updated-17 Apr, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5, FortiClientEMS 7.2.0 through 7.2.12, FortiClientEMS 7.0 all versions may allow attacker to execute unauthorized code or commands via sending crafted requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-FortiClientEMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-24007
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-9.8||CRITICAL
EPSS-0.71% / 72.20%
||
7 Day CHG~0.00%
Published-09 Jul, 2021 | 18:37
Updated-25 Oct, 2024 | 13:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4 may allow a non-authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortimailFortinet FortiMail
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-37931
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.6||HIGH
EPSS-0.44% / 63.03%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 14:10
Updated-22 Jul, 2025 | 21:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-88] in FortiVoice Entreprise version 7.0.0 through 7.0.1 and before 6.4.8 allows an authenticated attacker to perform a blind sql injection attack via sending crafted HTTP or HTTPS requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortivoiceFortiVoice
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-29011
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.8||HIGH
EPSS-0.36% / 58.28%
||
7 Day CHG~0.00%
Published-04 Aug, 2021 | 15:26
Updated-25 Oct, 2024 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Instances of SQL Injection vulnerabilities in the checksum search and MTA-quarantine modules of FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated attacker to execute unauthorized code on the underlying SQL interpreter via specifically crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortinet FortiSandbox
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-34991
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-9.3||CRITICAL
EPSS-6.77% / 91.33%
||
7 Day CHG~0.00%
Published-14 Nov, 2023 | 18:07
Updated-16 Dec, 2025 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 and 8.4.0 through 8.4.2 and 8.3.0 through 8.3.2 and 8.2.2 allows attacker to execute unauthorized code or commands via a crafted http request.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwlmFortiWLM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-3616
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.84% / 74.78%
||
7 Day CHG~0.00%
Published-11 Aug, 2017 | 21:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SQL injection vulnerability in Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows remote attackers to execute arbitrary commands via unspecified parameters.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortimanager_2000efortimanager_300efortimanager_200dfortimanager_firmwarefortimanager_400efortimanager_3000ffortimanager_3900en/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-23775
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.06% / 19.74%
||
7 Day CHG~0.00%
Published-11 Jun, 2024 | 14:32
Updated-21 Jan, 2025 | 21:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerabilities [CWE-89] in FortiSOAR 7.2.0 and before 7.0.3 may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisoarFortiSOAR
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-29059
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-2.6||LOW
EPSS-0.12% / 30.63%
||
7 Day CHG~0.00%
Published-14 Mar, 2025 | 15:45
Updated-14 Mar, 2025 | 17:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb version 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 and below may allow a privileged attacker to execute SQL commands over the log database via specifically crafted strings parameters.

Action-Not Available
Vendor-Fortinet, Inc.
Product-FortiWeb
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-29058
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-7.8||HIGH
EPSS-0.23% / 46.03%
||
7 Day CHG~0.00%
Published-06 Sep, 2022 | 15:10
Updated-25 Oct, 2024 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements [CWE-89] used in an OS command vulnerability [CWE-78] in the command line interpreter of FortiAP 6.0.0 through 6.4.7, 7.0.0 through 7.0.3, 7.2.0, FortiAP-S 6.0.0 through 6.4.7, FortiAP-W2 6.0.0 through 6.4.7, 7.0.0 through 7.0.3, 7.2.0 and FortiAP-U 5.4.0 through 6.2.3 may allow an authenticated attacker to execute unauthorized commands via specifically crafted arguments to existing commands.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiapfortiap-sfortiap-ufortiap-w2Fortinet FortiAP, FortiAP-S, FortiAP-W2, FortiAP-U
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-27485
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.62% / 69.96%
||
7 Day CHG+0.12%
Published-11 Apr, 2023 | 16:07
Updated-22 Oct, 2024 | 20:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') vulnerability [CWE-89] in Fortinet FortiSandbox version 4.2.0, 4.0.0 through 4.0.2, 3.2.0 through 3.2.3, 3.1.x and 3.0.x allows a remote and authenticated attacker with read permission to retrieve arbitrary files from the underlying Linux system via a crafted HTTP request.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxFortiSandbox
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-26120
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.63% / 70.29%
||
7 Day CHG~0.00%
Published-18 Jul, 2022 | 16:41
Updated-22 Oct, 2024 | 20:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerabilities [CWE-89] in FortiADC management interface 7.0.0 through 7.0.1, 5.0.0 through 6.2.2 may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortinet FortiADC
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-54026
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.14% / 34.19%
||
7 Day CHG+0.07%
Published-11 Mar, 2025 | 14:54
Updated-14 Jan, 2026 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisandboxfortisandbox_cloudFortiSandboxFortiSandbox Cloud
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-52969
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-3.7||LOW
EPSS-0.23% / 45.98%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 14:08
Updated-03 Feb, 2025 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiSIEM ersion 7.1.7 and below, version 7.1.0, version 7.0.3 and below, version 6.7.9 and below, 6.7.8, version 6.6.5 and below, version 6.5.3 and below, version 6.4.4 and below Update/Create Case feature may allow an authenticated attacker to extract database information via crafted requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortisiemFortiSIEM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-42760
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.8||HIGH
EPSS-0.42% / 62.11%
||
7 Day CHG~0.00%
Published-08 Dec, 2021 | 11:31
Updated-25 Oct, 2024 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclose sensitive information from DB tables via crafted requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwlmFortinet FortiWLM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-36184
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.8||HIGH
EPSS-0.31% / 54.00%
||
7 Day CHG~0.00%
Published-02 Nov, 2021 | 18:51
Updated-25 Oct, 2024 | 13:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwlmFortinet FortiWLM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-32590
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-9.9||CRITICAL
EPSS-0.20% / 41.84%
||
7 Day CHG~0.00%
Published-04 Aug, 2021 | 13:31
Updated-25 Oct, 2024 | 13:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple improper neutralization of special elements used in an SQL command vulnerabilities in FortiPortal 6.0.0 through 6.0.4, 5.3.0 through 5.3.5, 5.2.0 through 5.2.5, and 4.2.2 and earlier may allow an attacker with regular user's privileges to execute arbitrary commands on the underlying SQL database via specifically crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiportalFortinet FortiPortal
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-33875
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.82% / 74.47%
||
7 Day CHG~0.00%
Published-06 Dec, 2022 | 16:01
Updated-07 Nov, 2023 | 03:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability in Fortinet FortiADC version 7.1.0, version 7.0.0 through 7.0.2 and version 6.2.4 and below allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiadcFortiADC
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-21643
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-9.1||CRITICAL
EPSS-33.91% / 96.97%
||
7 Day CHG+20.21%
Published-06 Feb, 2026 | 08:24
Updated-14 Apr, 2026 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-04-16||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlientemsFortiClientEMSFortiClient EMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-43077
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-8.8||HIGH
EPSS-0.51% / 66.52%
||
7 Day CHG~0.00%
Published-01 Mar, 2022 | 18:30
Updated-25 Oct, 2024 | 13:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWLM version 8.6.2 and below, version 8.5.2 and below, version 8.4.2 and below, version 8.3.2 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to the AP monitor handlers.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiwlmFortinet FortiWLM
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-64156
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.07% / 21.68%
||
7 Day CHG~0.00%
Published-09 Dec, 2025 | 17:18
Updated-26 Feb, 2026 | 16:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7, FortiVoice 6.4 all versions, FortiVoice 6.0 all versions may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted requests

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortivoiceFortiVoice
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-61848
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.03% / 8.43%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 15:38
Updated-17 Apr, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API

Action-Not Available
Vendor-Fortinet, Inc.
Product-FortiManager CloudFortiAnalyzerFortiAnalyzer CloudFortiManager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-49784
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-5.6||MEDIUM
EPSS-0.05% / 16.39%
||
7 Day CHG~0.00%
Published-10 Mar, 2026 | 16:44
Updated-12 Mar, 2026 | 21:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiAnalyzer-BigData 7.6.0, FortiAnalyzer-BigData 7.4.0 through 7.4.4, FortiAnalyzer-BigData 7.2 all versions, FortiAnalyzer-BigData 7.0 all versions, FortiAnalyzer-BigData 6.4 all versions, FortiAnalyzer-BigData 6.2 all versions may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortianalyzer_big_dataFortiAnalyzer-BigDataFortiAnalyzer
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-59922
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.07% / 21.24%
||
7 Day CHG~0.00%
Published-13 Jan, 2026 | 16:32
Updated-14 Jan, 2026 | 21:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiClientEMS 7.4.3 through 7.4.4, FortiClientEMS 7.4.0 through 7.4.1, FortiClientEMS 7.2.0 through 7.2.10, FortiClientEMS 7.0 all versions may allow an authenticated attacker with at least read-only admin permission to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-forticlientemsFortiClientEMS
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2020-29015
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-9.8||CRITICAL
EPSS-1.00% / 77.07%
||
7 Day CHG~0.00%
Published-14 Jan, 2021 | 16:07
Updated-25 Oct, 2024 | 14:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A blind SQL injection in the user interface of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.

Action-Not Available
Vendor-n/aFortinet, Inc.
Product-fortiwebFortinet FortiWeb
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2025-58692
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-7.7||HIGH
EPSS-0.04% / 11.42%
||
7 Day CHG-0.01%
Published-18 Nov, 2025 | 17:01
Updated-26 Feb, 2026 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An improper neutralization of special elements used in an SQL Command ("SQL Injection") vulnerability [CWE-89] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 allows an authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortivoiceFortiVoice
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-26116
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-7.2||HIGH
EPSS-0.62% / 70.07%
||
7 Day CHG~0.00%
Published-11 May, 2022 | 07:20
Updated-25 Oct, 2024 | 13:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple improper neutralization of special elements used in SQL commands ('SQL Injection') vulnerability [CWE-89] in FortiNAC version 8.3.7 and below, 8.5.2 and below, 8.5.4, 8.6.0, 8.6.5 and below, 8.7.6 and below, 8.8.11 and below, 9.1.5 and below, 9.2.2 and below may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortinacFortinet FortiNAC
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-35275
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.13% / 31.83%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 14:08
Updated-31 Jan, 2025 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, FortiManager version 7.4.0 through 7.4.2 allows attacker to escalation of privilege via specially crafted http requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortianalyzerfortianalyzer_cloudfortimanager_cloudfortimanagerFortiManagerFortiAnalyzer
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-35278
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4.1||MEDIUM
EPSS-0.28% / 51.33%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 14:09
Updated-31 Jan, 2025 | 17:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiPortal versions 7.2.4 through 7.2.0 and 7.0.0 through 7.2.8 may allow an authenticated attacker to view the SQL query being run server-side when submitting an HTTP request, via including special elements in said request.

Action-Not Available
Vendor-Fortinet, Inc.
Product-fortiportalFortiPortal
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-33501
Matching Score-6
Assigner-Fortinet, Inc.
ShareView Details
Matching Score-6
Assigner-Fortinet, Inc.
CVSS Score-4||MEDIUM
EPSS-0.03% / 9.54%
||
7 Day CHG+0.01%
Published-11 Mar, 2025 | 14:54
Updated-11 Mar, 2025 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Two improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5, FortiManager version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData version 7.4.0 and before 7.2.7 allows a privileged attacker to execute unauthorized code or commands via specifically crafted CLI requests.

Action-Not Available
Vendor-Fortinet, Inc.
Product-FortiManager
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-37590
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.7||LOW
EPSS-0.02% / 5.69%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:00
Updated-14 Apr, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/rents/manage_rent.php.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-36874
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.7||LOW
EPSS-0.03% / 7.24%
||
7 Day CHG~0.00%
Published-13 Apr, 2026 | 00:00
Updated-14 Apr, 2026 | 17:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php.

Action-Not Available
Vendor-n/arazormist
Product-basic_library_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2023-37361
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.7||LOW
EPSS-0.07% / 22.13%
||
7 Day CHG+0.01%
Published-25 Jul, 2023 | 00:00
Updated-23 Oct, 2024 | 19:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization.

Action-Not Available
Vendor-vanderbiltn/a
Product-redcapn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2021-25109
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-2.7||LOW
EPSS-0.18% / 39.30%
||
7 Day CHG~0.00%
Published-14 Feb, 2022 | 09:20
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Futurio Extra < 1.6.3 - Authenticated SQL Injection

The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link.

Action-Not Available
Vendor-futuriowpUnknown
Product-futurio_extraFuturio Extra
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2022-46498
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.7||LOW
EPSS-0.07% / 20.10%
||
7 Day CHG~0.00%
Published-07 Mar, 2024 | 00:00
Updated-28 Mar, 2025 | 18:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Hospital Management System 1.0 was discovered to contain a SQL injection vulnerability via the doc_number parameter at his_admin_view_single_employee.php.

Action-Not Available
Vendor-n/aPHPGurukul LLPCodeAstro
Product-hospital_management_systemn/ahospital_management_system
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-37597
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.7||LOW
EPSS-0.02% / 5.69%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:00
Updated-14 Apr, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-37591
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.7||LOW
EPSS-0.02% / 5.69%
||
7 Day CHG~0.00%
Published-14 Apr, 2026 | 00:00
Updated-14 Apr, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL injection in the file /storage/admin/tenants/view_details.php.

Action-Not Available
Vendor-n/a
Product-n/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-36919
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-2.7||LOW
EPSS-0.03% / 7.24%
||
7 Day CHG~0.00%
Published-13 Apr, 2026 | 00:00
Updated-14 Apr, 2026 | 11:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Sourcecodester Online Reviewer System v1.0 is vulnerale to SQL Injection in the file /system/system/admins/assessments/examproper/exam-update.php.

Action-Not Available
Vendor-n/ajanobe
Product-online_reviewer_systemn/a
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • Previous
  • 1
  • 2
  • Next
Details not found