// Popular Articles
CVE-2026-39813: One HTTP Request Bypasses FortiSandbox Authentication
A path traversal in FortiSandbox's JRPC API (CVSS 9.1) lets unauthenticated attackers read system info, scan configs, and download a 32 KB encrypted backup with a single ../../tmp/ payload. Bytecode-level look at why /tmp/ is the perfect bypass target, what the patch is, and how it chains with CVE-2026-39808 for full root RCE.
CVE-2026-39808: Một HTTP request biến FortiSandbox thành root shell
Lỗi OS command injection pre-auth trong FortiSandbox 4.4.0–4.4.8 cho phép bất kỳ ai gửi 1 request GET duy nhất để chiếm root. Param jid trên endpoint tracer-behavior đi thẳng vào shell. Patch: 4.4.9+. PoC đã public trên GitHub.