Fortinet Discloses Stored XSS Vulnerability in FortiSandbox and FortiSandbox Cloud
Fortinet has disclosed a stored cross-site scripting vulnerability in FortiSandbox and FortiSandbox Cloud that allows a privileged attacker to execute malicious scripts via crafted HTTP requests.
Fortinet has disclosed a stored cross-site scripting (XSS) vulnerability affecting multiple versions of FortiSandbox and FortiSandbox Cloud. The flaw, categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), allows a privileged attacker to execute stored XSS attacks by sending specially crafted HTTP requests to the affected systems. The advisory, published on April 14, 2026, carries a CVSSv3 base score of 4.3, indicating a medium-severity issue.
The vulnerability impacts FortiSandbox versions 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, and all versions of 4.2. The same version ranges affect FortiSandbox Cloud (PaaS). Fortinet has released patches for supported branches: users should upgrade to FortiSandbox 5.0.6 or above, or 4.4.9 or above. For the end-of-life 4.2 branch, the only solution is to migrate to a fixed release.
Notably, the advisory does not include a CVE identifier, which is unusual for a Fortinet PSIRT disclosure. The vulnerability was internally discovered and reported by Adamya Varma from Fortinet's InfoSec team, suggesting it was found during internal security testing rather than reported by an external researcher. This may explain the absence of a CVE ID, as CVE assignment typically follows external disclosure or coordinated public reporting.
Stored XSS vulnerabilities are particularly dangerous because the malicious script is permanently stored on the target server, such as in a database or log file. When a victim accesses the compromised page, the script executes in their browser context. In this case, the attacker requires privileged access to the FortiSandbox interface, which somewhat limits the attack surface to authenticated users with elevated permissions. However, once exploited, the attacker could potentially steal session tokens, deface pages, or redirect users to malicious sites.
FortiSandbox is a critical security appliance used by enterprises to analyze suspicious files and URLs in a sandboxed environment. A stored XSS flaw in such a product could undermine trust in its analysis results and expose administrative interfaces to further compromise. Organizations running affected versions should prioritize patching, especially if the appliance is exposed to internal users with administrative privileges.
This disclosure follows a series of Fortinet security advisories in recent months, including critical remote code execution flaws in FortiAuthenticator and FortiSandbox patched earlier in April 2026. The company continues to address vulnerabilities across its product portfolio, though the medium severity of this XSS issue and the lack of a CVE ID may lead some administrators to deprioritize it. Given the privileged access required, the immediate risk is lower than unauthenticated RCE bugs, but stored XSS in a security appliance should not be ignored.