CVE-2026-39813: One HTTP Request Bypasses FortiSandbox Authentication

A path traversal in FortiSandbox's JRPC API (CVSS 9.1) lets unauthenticated attackers read system info, scan configs, and download a 32 KB encrypted backup with a single ../../tmp/ payload. Bytecode-level look at why /tmp/ is the perfect bypass target, what the patch is, and how it chains with CVE-2026-39808 for full root RCE.