Critical severity9.8CISA KEVNVD Advisory· Published Feb 6, 2026· Updated Apr 16, 2026

CVE-2026-21643

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Fortinet/Forticlientems2 versions
cpe:2.3:a:fortinet:forticlientems:7.4.4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:fortinet:forticlientems:7.4.4:*:*:*:*:*:*:*
- (no CPE)range: =7.4.4

Patches

Vulnerability mechanics

References

github.com/0xBlackash/CVE-2026-21643/blob/main/cve-2026-21643.pynvdExploit
fortiguard.fortinet.com/psirt/FG-IR-25-1142nvdVendor Advisory
www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government Resource

News mentions

3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs
SecurityWeek · Jun 17, 2026
Critical Fortinet FortiSandbox flaws now exploited in attacks
BleepingComputer · Jun 16, 2026
Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator
BleepingComputer · May 12, 2026
Fortinet Releases Emergency Patch After FortiClient EMS Bug Is Exploited
Infosecurity Magazine · Apr 7, 2026

cvss	0.637
epss	0.075
exploit	0.000
kev	0.120
patch	0.000
ransomware	0.000