CVE-2026-39814
Received
Received - Intake
Relative Path Traversal in Fortinet FortiWeb Enables Code Execution
Vulnerability report for CVE-2026-39814, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-04-14
Last updated on: 2026-04-21
Assigner: Fortinet, Inc.
Description
Description
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.1 through 7.4.12, FortiWeb 7.2.7 through 7.2.12, FortiWeb 7.0.10 through 7.0.12 may allow attacker to execute unauthorized code or commands via <insert attack vector here>
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortiweb | From 8.0.0 (inc) to 8.0.3 (exc) |
| fortinet | fortiweb | From 7.6.0 (inc) to 7.6.7 (exc) |
| fortinet | fortiweb | From 7.0.10 (inc) to 7.0.12 (inc) |
| fortinet | fortiweb | From 7.2.0 (inc) to 7.2.12 (inc) |
| fortinet | fortiweb | From 7.4.1 (inc) to 7.4.12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |