CVE-2026-39814
Received
Received - Intake
Relative Path Traversal in Fortinet FortiWeb Enables Code Execution
Publication date: 2026-04-14
Last updated on: 2026-04-21
Assigner: Fortinet, Inc.
Description
Description
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.1 through 7.4.12, FortiWeb 7.2.7 through 7.2.12, FortiWeb 7.0.10 through 7.0.12 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortiweb | From 8.0.0 (inc) to 8.0.3 (exc) |
| fortinet | fortiweb | From 7.6.0 (inc) to 7.6.7 (exc) |
| fortinet | fortiweb | From 7.0.10 (inc) to 7.0.12 (inc) |
| fortinet | fortiweb | From 7.2.0 (inc) to 7.2.12 (inc) |
| fortinet | fortiweb | From 7.4.1 (inc) to 7.4.12 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
