Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in Fortinet Product

16 April 2026

Fortinet has released software updates addressing vulnerabilities in FortiSandbox.Users and administrators of affected products are advised to update to the latest versions immediately.

Background 

Fortinet has released software updates addressing vulnerabilities (CVE-2026-39808 and CVE-2026-39813) in FortiSandbox.

Impact 

CVE-2026-39808: Successful exploitation of this OS command injection vulnerability could allow an unauthenticated attacker to execute unauthorized arbitrary code or commands via specially crafted HTTP requests.

CVE-2026-39813: Successful exploitation of this vulnerability could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests in the FortiSandbox JRPC API.

Affected Products

The following product versions are affected by the vulnerabilities.

For CVE-2026-39808:

  • FortiSandbox 4.44.4.0 through 4.4.8

For CVE-2026-39813:

  • FortiSandbox 5.05.0.0 through 5.0.5

  • FortiSandbox 4.44.4.0 through 4.4.8

Recommendation

Users and administrators of affected products are advised to update to the latest versions immediately.

References 

https://www.fortiguard.com/psirt/FG-IR-26-100

https://www.fortiguard.com/psirt/FG-IR-26-112

https://www.securityweek.com/fortinet-patches-critical-fortisandbox-vulnerabilities/

Back to top