CVE-2026-22573

Summary

An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5 all versions, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiSOAR on-premise7.6.0 <= 7.6.3affected
FortinetFortiSOAR on-premise7.5.0 <= 7.5.3affected
FortinetFortiSOAR on-premise7.4.0 <= 7.4.5affected
FortinetFortiSOAR on-premise7.3.0 <= 7.3.3affected
FortinetFortiSOAR PaaS7.6.0 <= 7.6.3affected
FortinetFortiSOAR PaaS7.5.0 <= 7.5.3affected
FortinetFortiSOAR PaaS7.4.0 <= 7.4.5affected
FortinetFortiSOAR PaaS7.3.0 <= 7.3.3affected

Weaknesses

  • CWE-22: Information disclosure

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References