Total
115 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-25257 | 1 Fortinet | 1 Fortiweb | 2026-02-20 | N/A | 9.8 CRITICAL |
|
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
|
|||||
| CVE-2026-24858 | 1 Fortinet | 5 Fortianalyzer, Fortimanager, Fortios and 2 more | 2026-01-29 | N/A | 9.8 CRITICAL |
|
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through ...
Show More |
|||||
| CVE-2025-22254 | 1 Fortinet | 3 Fortios, Fortiproxy, Fortiweb | 2026-01-14 | N/A | 6.6 MEDIUM |
|
An Improper Privilege Management vulnerability [CWE-269] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.6.0 through 7.6.1, FortiProxy 7.4.0 through 7.4.7, FortiWeb 7.6.0 through 7.6.1, FortiWeb 7.4.0 through 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocke ...
Show More |
|||||
| CVE-2024-48885 | 1 Fortinet | 3 Fortirecorder, Fortivoice, Fortiweb | 2026-01-14 | N/A | 5.3 MEDIUM |
|
A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiRecorder 7.2.0 through 7.2.1, FortiRecorder 7.0.0 through 7.0.4, FortiVoice 7.0.0 through 7.0.4, FortiVoice 6.4.0 through 6.4.9, FortiVoice 6.0 all versions, FortiWeb 7.6.0, FortiWeb 7.4.0 through 7.4.4, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions, FortiWeb 6.4 all versions allows attacker to escalate privilege via specially crafted packets.
|
|||||
| CVE-2024-48884 | 1 Fortinet | 7 Fortimanager, Fortimanager Cloud, Fortios and 4 more | 2026-01-14 | N/A | 7.5 HIGH |
|
A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2.0 through 7.2.9, FortiOS 7.0.0 through 7.0.15, FortiOS 6.4.0 through 6.4.15, FortiProxy 7.4.0 through 7.4.5, FortiProxy 7.2.0 through 7.2.11, FortiProxy 7.0.0 through 7.0.18, FortiProxy 2.0 all versions, FortiProxy 1.2 all versio ...
Show More |
|||||
| CVE-2024-47569 | 1 Fortinet | 12 Fortimail, Fortimanager, Fortimanager Cloud and 9 more | 2026-01-14 | N/A | 4.3 MEDIUM |
|
A insertion of sensitive information into sent data vulnerability in Fortinet FortiMail 7.4.0 through 7.4.2, FortiMail 7.2.0 through 7.2.6, FortiMail 7.0 all versions, FortiManager 7.6.0 through 7.6.1, FortiManager 7.4.1 through 7.4.3, FortiManager Cloud 7.4.1 through 7.4.3, FortiNDR 7.6.0 through 7.6.1, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiNDR 1.5 all versions, FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.4, FortiOS 7.2. ...
Show More |
|||||
| CVE-2021-36193 | 1 Fortinet | 1 Fortiweb | 2026-01-13 | 6.5 MEDIUM | 6.7 MEDIUM |
|
Multiple stack-based buffer overflows in the command line interpreter of FortiWeb before 6.4.2 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands.
|
|||||
| CVE-2025-64471 | 1 Fortinet | 1 Fortiweb | 2025-12-10 | N/A | 4.9 MEDIUM |
|
A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to use the hash in place of the password to authenticate via crafted HTTP/HTTPS requests
|
|||||
| CVE-2025-64447 | 1 Fortinet | 1 Fortiweb | 2025-12-09 | N/A | 8.1 HIGH |
|
A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS request via forged cookies, requiring prior knowledge of the FortiWeb serial number.
|
|||||
| CVE-2025-59719 | 1 Fortinet | 1 Fortiweb | 2025-12-09 | N/A | 9.8 CRITICAL |
|
An improper verification of cryptographic signature vulnerability in Fortinet FortiWeb 8.0.0, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9 may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.
|
|||||
| CVE-2025-58034 | 1 Fortinet | 1 Fortiweb | 2025-11-21 | N/A | 7.2 HIGH |
|
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
|
|||||
| CVE-2025-64446 | 1 Fortinet | 1 Fortiweb | 2025-11-21 | N/A | 9.8 CRITICAL |
|
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
|
|||||
| CVE-2025-59669 | 1 Fortinet | 1 Fortiweb | 2025-11-20 | N/A | 5.3 MEDIUM |
|
A use of hard-coded credentials vulnerability in Fortinet FortiWeb 7.6.0, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow an authenticated attacker with shell access to the device to connect to redis service and access its data
|
|||||
| CVE-2021-42757 | 1 Fortinet | 13 Fortiadc, Fortianalyzer, Fortimail and 10 more | 2025-10-16 | 4.6 MEDIUM | 6.7 MEDIUM |
|
A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated local attacker to achieve arbitrary code execution via specially crafted command line arguments.
|
|||||
| CVE-2025-53609 | 1 Fortinet | 1 Fortiweb | 2025-09-10 | N/A | 4.9 MEDIUM |
|
A Relative Path Traversal vulnerability [CWE-23] in FortiWeb 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.2 through 7.0.11 may allow an authenticated attacker to perform an arbitrary file read on the underlying system via crafted requests.
|
|||||
| CVE-2025-52970 | 1 Fortinet | 1 Fortiweb | 2025-08-15 | N/A | 8.1 HIGH |
|
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
|
|||||
| CVE-2025-47857 | 1 Fortinet | 1 Fortiweb | 2025-08-15 | N/A | 6.7 MEDIUM |
|
A improper neutralization of special elements used in an os command ('os command injection') vulnerability [CWE-78] in Fortinet FortiWeb CLI version 7.6.0 through 7.6.3 and before 7.4.8 allows a privileged attacker to execute arbitrary code or command via crafted CLI commands.
|
|||||
| CVE-2025-32766 | 1 Fortinet | 1 Fortiweb | 2025-08-14 | N/A | 6.4 MEDIUM |
|
A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiWeb CLI version 7.6.0 through 7.6.3 and before 7.4.8 allows a privileged attacker to execute arbitrary code or commands via crafted CLI commands
|
|||||
| CVE-2025-27759 | 1 Fortinet | 1 Fortiweb | 2025-08-14 | N/A | 6.7 MEDIUM |
|
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and before 7.0.10 allows an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI commands
|
|||||
| CVE-2024-50565 | 1 Fortinet | 6 Fortianalyzer, Fortimanager, Fortios and 3 more | 2025-07-25 | N/A | 3.1 LOW |
|
A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and 2.0.0 through 2.0.14, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet ...
Show More |
|||||
| CVE-2024-26013 | 1 Fortinet | 6 Fortianalyzer, Fortimanager, Fortios and 3 more | 2025-07-25 | N/A | 7.5 HIGH |
|
A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, ...
Show More |
|||||
| CVE-2024-55594 | 1 Fortinet | 1 Fortiweb | 2025-07-24 | N/A | 5.6 MEDIUM |
|
An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests.
|
|||||
| CVE-2022-29059 | 1 Fortinet | 1 Fortiweb | 2025-07-24 | N/A | 2.7 LOW |
|
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb version 7.0.1 and below, 6.4.2 and below, 6.3.20 and below, 6.2.7 and below may allow a privileged attacker to execute SQL commands over the log database via specifically crafted strings parameters.
|
|||||
| CVE-2024-21758 | 1 Fortinet | 1 Fortiweb | 2025-07-24 | N/A | 6.4 MEDIUM |
|
A stack-based buffer overflow in Fortinet FortiWeb versions 7.2.0 through 7.2.7, and 7.4.0 through 7.4.1 may allow a privileged user to execute arbitrary code via specially crafted CLI commands, provided the user is able to evade FortiWeb stack protections.
|
|||||
| CVE-2024-46671 | 1 Fortinet | 1 Fortiweb | 2025-07-24 | N/A | 6.2 MEDIUM |
|
An Incorrect User Management vulnerability [CWE-286] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, version 7.2.10 and below, version 7.0.11 and below widgets dashboard may allow an authenticated attacker with at least read-only admin permission to perform operations on the dashboard of other administrators via crafted requests.
|
|||||
| CVE-2023-25610 | 1 Fortinet | 8 Fortianalyzer, Fortimanager, Fortios and 5 more | 2025-07-24 | N/A | 9.8 CRITICAL |
|
A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.8, version 2.0.12 and below and FortiOS-6K7K version 7.0.5, version 6.4.0 through 6.4.10 and version 6.2.0 through 6.2.10 and below allows a remote unauthenticated attacker to execute arbitrary code or commands ...
Show More |
|||||
| CVE-2024-45324 | 1 Fortinet | 5 Fortios, Fortipam, Fortiproxy and 2 more | 2025-07-24 | N/A | 7.2 HIGH |
|
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0 through 7.2.12 and before 7.0.19, FortiPAM version 1.4.0 through 1.4.2 and before 1.3.1, FortiSRA version 1.4.0 through 1.4.2 and before 1.3.1 and FortiWeb version 7.4.0 through 7.4.5, version 7.2.0 through 7.2.10 and before 7.0.10 allows a privileged attacker ...
Show More |
|||||
| CVE-2024-55597 | 1 Fortinet | 1 Fortiweb | 2025-07-24 | N/A | 5.5 MEDIUM |
|
A improper limitation of a pathname to a restricted directory ('path traversal') in Fortinet FortiWeb versions 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted requests.
|
|||||
| CVE-2024-50569 | 1 Fortinet | 1 Fortiweb | 2025-07-22 | N/A | 6.6 MEDIUM |
|
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.0.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted input.
|
|||||
| CVE-2024-50567 | 1 Fortinet | 1 Fortiweb | 2025-07-22 | N/A | 7.2 HIGH |
|
An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb 7.4.0 through 7.6.0 allows attacker to execute unauthorized code or commands via crafted input.
|
|||||
| CVE-2025-25254 | 1 Fortinet | 1 Fortiweb | 2025-07-22 | N/A | 7.2 HIGH |
|
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, 7.2 all versions, 7.0 all versions endpoint may allow an authenticated admin to access and modify the filesystem via crafted requests.
|
|||||
| CVE-2023-42784 | 1 Fortinet | 1 Fortiweb | 2025-07-22 | N/A | 5.6 MEDIUM |
|
An improper handling of syntactically invalid structure in Fortinet FortiWeb at least verions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests.
|
|||||
| CVE-2017-7736 | 1 Fortinet | 1 Fortiweb | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
|
A stored Cross-site Scripting (XSS) vulnerability in Fortinet FortiWeb webUI Certificate View page in 5.8.0, 5.7.1 and earlier, allows attackers to inject arbitrary web script or HTML via special crafted malicious certificate import.
|
|||||
| CVE-2017-3129 | 1 Fortinet | 1 Fortiweb | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
|
A Cross-Site Scripting vulnerability in Fortinet FortiWeb versions 5.7.1 and below allows attacker to execute unauthorized code or commands via an improperly sanitized POST parameter in the FortiWeb Site Publisher feature.
|
|||||
| CVE-2017-7737 | 1 Fortinet | 1 Fortiweb | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
|
An information disclosure vulnerability in Fortinet FortiWeb 5.8.2 and below versions allows logged-in admin user to view SNMPv3 user password in cleartext in webui via the HTML source code.
|
|||||
| CVE-2016-4066 | 1 Fortinet | 1 Fortiweb | 2025-04-12 | 6.8 MEDIUM | 8.8 HIGH |
|
Cross-site request forgery (CSRF) vulnerability in Fortinet FortiWeb before 5.5.3 allows remote attackers to hijack the authentication of administrators for requests that change the password via unspecified vectors.
|
|||||
| CVE-2016-5092 | 1 Fortinet | 1 Fortiweb | 2025-04-12 | 4.0 MEDIUM | 4.9 MEDIUM |
|
Directory traversal vulnerability in Fortinet FortiWeb before 5.5.3 allows remote authenticated administrators with read and write privileges to read arbitrary files by leveraging the autolearn feature.
|
|||||
| CVE-2014-4738 | 1 Fortinet | 1 Fortiweb | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in FortiGuard FortiWeb 5.0.x, 5.1.x, and 5.2.x before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) user/ldap_user/check_dlg or (2) user/radius_user/check_dlg.
|
|||||
| CVE-2014-1955 | 1 Fortinet | 1 Fortiweb | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in FortiGuard FortiWeb before 5.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2014-1956 | 1 Fortinet | 1 Fortiweb | 2025-04-12 | 5.0 MEDIUM | N/A |
|
CRLF injection vulnerability in FortiGuard FortiWeb before 5.0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
|
|||||