CVE-2026-22154

Summary

An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP Requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiSOAR PaaS7.6.0 <= 7.6.3affected
FortinetFortiSOAR PaaS7.5.0 <= 7.5.2affected
FortinetFortiSOAR PaaS7.4.0 <= 7.4.5affected
FortinetFortiSOAR PaaS7.3.0 <= 7.3.3affected
FortinetFortiSOAR on-premise7.6.0 <= 7.6.3affected
FortinetFortiSOAR on-premise7.5.0 <= 7.5.2affected
FortinetFortiSOAR on-premise7.4.0 <= 7.4.5affected
FortinetFortiSOAR on-premise7.3.0 <= 7.3.3affected

Weaknesses

  • CWE-79: Escalation of privilege

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References