CVE-2026-23573

Summary

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.6, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiPAM 1.8.0, FortiPAM 1.7 all versions, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.4.0 through 7.4.3, FortiProxy 7.2.0 through 7.2.9 may allow an authenticated remote user to execute code or commands via crafted requests.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiOS7.6.0 <= 7.6.6affected
FortinetFortiOS7.4.0 <= 7.4.12affected
FortinetFortiOS7.2.0 <= 7.2.13affected
FortinetFortiOS7.0.0 <= 7.0.19affected
FortinetFortiOS6.4.0 <= 6.4.16affected
FortinetFortiProxy7.4.0 <= 7.4.3affected
FortinetFortiProxy7.2.0 <= 7.2.9affected
FortinetFortiProxy7.0.0 <= 7.0.16affected
FortinetFortiPAM1.8.0affected
FortinetFortiPAM1.7.0 <= 1.7.2affected
FortinetFortiPAM1.6.0 <= 1.6.2affected
FortinetFortiPAM1.5.0 <= 1.5.1affected
FortinetFortiPAM1.4.0 <= 1.4.3affected
FortinetFortiPAM1.3.0 <= 1.3.1affected
FortinetFortiPAM1.2.0affected
FortinetFortiPAM1.1.0 <= 1.1.2affected
FortinetFortiPAM1.0.0 <= 1.0.3affected

Weaknesses

  • CWE-79: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References