An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS and FortiProxy may allow an authenticated attacker to elevate their privileges via triggering a malicious Webhook action in the...
Read MoreA stack-based buffer overflow vulnerability [CWE-121] in FortiOS and FortiProxy may allow an authenticated attacker to achieve arbitrary code execution via certain CLI commands. Revised on 2025-10-14 00:00:00
Read MoreA Weak authentication vulnerability [CWE 1390] in FortiPAM and FortiSwitch Manager WAD/GUI may allow an attacker to bypass the authentication process via a brute-force attack. Revised on 2025-10-14 00:00:00
Read MoreA concurrent execution using shared resource with improper synchronization (‘Race Condition’) vulnerability [CWE-362] in FortiAnalyzer may allow an attacker to attempt to win a race condition to bypass the FortiCloud...
Read MoreAn Exposure of Private Personal Information (‘Privacy Violation’) vulnerability [CWE-359] in FortiDLP may allow an authenticated windows administrator to collect current user’s email information Revised on...
Read MoreAn Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability [CWE-22] in FortiDLP Agent’s Outlookproxy plugin for Windows and MacOS may allow an authenticated attacker to...
Read MoreAn Incorrect Provision of Specified Functionality vulnerability [CWE-684] in FortiOS may allow a local authenticated attacker to execute system commands via crafted CLI commands. Revised on 2025-10-14 00:00:00
Read MoreAn Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSOAR may allow an attacker who has already obtained a non-login low privileged shell access...
Read MoreAn Improper Validation of Certificate with Host Mismatch vulnerability [CWE-297] in FortiOS and FortiProxy ZTNA proxy may allow an unauthenticated attacker in a man-in-the middle position to intercept and tamper with connections...
Read MoreAn improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSIEM may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP requests. Revised on...
Read MoreCritical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An...
Read MoreAn Improper Neutralization of Input During Web Page Generation and URL Redirection to Untrusted Site vulnerabilities [CWE-79, CWE-601] in FortiOS, FortiProxy and FortiSASE may allow an unauthenticated attacker to perform a...
Read More