Fortinet Discloses Reflected XSS Vulnerability in FortiSandbox Operation Center
Fortinet has disclosed a reflected cross-site scripting vulnerability in FortiSandbox and FortiSandbox Cloud, tracked as FG-IR-26-109, with a CVSSv3 score of 4.9.
Fortinet has disclosed a reflected cross-site scripting (XSS) vulnerability in its FortiSandbox and FortiSandbox Cloud products, tracked as FG-IR-26-109. The flaw, classified under CWE-79, carries a CVSSv3 score of 4.9 and affects the Operation Center component. An attacker can exploit the vulnerability by sending crafted HTTP requests to execute arbitrary JavaScript in the context of a victim's browser.
The vulnerability impacts FortiSandbox version 5.0.0 through 5.0.4 and FortiSandbox Cloud (PaaS) version 5.0.0 through 5.0.4. Earlier versions 4.4 and 4.2 are not affected. Fortinet has released patches in FortiSandbox 5.0.5 and FortiSandbox Cloud 5.0.5 to address the issue. The advisory was initially published on April 14, 2026, and no revisions have been made since.
The vulnerability was internally discovered and reported by William Hsu from Fortinet's InfoSec team. As of the advisory date, no in-the-wild exploitation has been reported. Fortinet recommends that users upgrade to the patched versions to mitigate the risk.
Reflected XSS vulnerabilities occur when an application includes unvalidated user input in a web page without proper sanitization. In this case, an attacker could craft a malicious link that, when clicked by an authenticated user, executes JavaScript in the context of the FortiSandbox interface. This could lead to session hijacking, data theft, or other malicious actions.
FortiSandbox is a security solution designed to detect and analyze advanced threats using sandboxing technology. It is widely deployed in enterprise environments to inspect suspicious files and URLs. The XSS flaw in its Operation Center could potentially be leveraged to bypass security controls or gain unauthorized access to sensitive data.
While the CVSS score is moderate, the vulnerability underscores the importance of input validation and output encoding in web applications. Fortinet's advisory provides a clear upgrade path for affected versions. Users are advised to apply the patches promptly, especially in environments where FortiSandbox is exposed to untrusted networks.
This disclosure is part of Fortinet's ongoing commitment to responsible vulnerability management. The company regularly publishes security advisories for its products, and this latest fix adds to a series of patches released in 2026.