CVSS: 6.7EPSS: 0%CPEs: 4EXPL: 0CVE-2025-27759
https://notcve.org/view.php?id=CVE-2025-27759
12 Aug 2025 — An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and before 7.0.10 allows an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI commands • https://fortiguard.fortinet.com/psirt/FG-IR-25-150 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-52970
https://notcve.org/view.php?id=CVE-2025-52970
12 Aug 2025 — A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request. • https://fortiguard.fortinet.com/psirt/FG-IR-25-448 • CWE-233: Improper Handling of Parameters •
CVSS: 10.0EPSS: 45%CPEs: 4EXPL: 11CVE-2025-25257 – Fortinet FortiWeb SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-25257
11 Jul 2025 — An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs reque... • https://packetstorm.news/files/id/206268 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.6EPSS: 0%CPEs: 16EXPL: 0CVE-2024-50565
https://notcve.org/view.php?id=CVE-2024-50565
08 Apr 2025 — A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and 2.0.0 through 2.0.14, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiAnalyze... • https://fortiguard.fortinet.com/psirt/FG-IR-24-046 • CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46671
https://notcve.org/view.php?id=CVE-2024-46671
08 Apr 2025 — An Incorrect User Management vulnerability [CWE-286] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, version 7.2.10 and below, version 7.0.11 and below widgets dashboard may allow an authenticated attacker with at least read-only admin permission to perform operations on the dashboard of other administrators via crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-184 • CWE-286: Incorrect User Management •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-25254 – Fortinet FortiWeb cgi_httpcontentrouting_post Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-25254
08 Apr 2025 — An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, 7.2 all versions, 7.0 all versions endpoint may allow an authenticated admin to access and modify the filesystem via crafted requests. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fortinet FortiWeb. Authentication is required to exploit this vulnerability. The specific flaw exists within the... • https://fortiguard.fortinet.com/psirt/FG-IR-24-474 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 18%CPEs: 42EXPL: 1CVE-2023-25610
https://notcve.org/view.php?id=CVE-2023-25610
24 Mar 2025 — A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.8, version 2.0.12 and below and FortiOS-6K7K version 7.0.5, version 6.4.0 through 6.4.10 and version 6.2.0 through 6.2.10 and below allows a remote unauthenticated attacker to execute arbitrary code or commands via specifi... • https://github.com/qi4L/CVE-2023-25610 • CWE-124: Buffer Underwrite ('Buffer Underflow') •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2024-55594
https://notcve.org/view.php?id=CVE-2024-55594
14 Mar 2025 — An improper handling of syntactically invalid structure in Fortinet FortiWeb at least vesrions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-115 • CWE-228: Improper Handling of Syntactically Invalid Structure •
CVSS: 8.3EPSS: 0%CPEs: 19EXPL: 0CVE-2024-45324
https://notcve.org/view.php?id=CVE-2024-45324
11 Mar 2025 — A use of externally-controlled format string vulnerability [CWE-134] in FortiOS version 7.4.0 through 7.4.4, version 7.2.0 through 7.2.9, version 7.0.0 through 7.0.15 and before 6.4.15, FortiProxy version 7.4.0 through 7.4.6, version 7.2.0 through 7.2.12 and before 7.0.19, FortiPAM version 1.4.0 through 1.4.2 and before 1.3.1, FortiSRA version 1.4.0 through 1.4.2 and before 1.3.1 and FortiWeb version 7.4.0 through 7.4.5, version 7.2.0 through 7.2.10 and before 7.0.10 allows a privileged attacker to execute ... • https://fortiguard.fortinet.com/psirt/FG-IR-24-325 • CWE-134: Use of Externally-Controlled Format String •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2023-42784
https://notcve.org/view.php?id=CVE-2023-42784
11 Mar 2025 — An improper handling of syntactically invalid structure in Fortinet FortiWeb at least verions 7.4.0 through 7.4.6 and 7.2.0 through 7.2.10 and 7.0.0 through 7.0.10 allows attacker to execute unauthorized code or commands via HTTP/S crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-23-115 • CWE-228: Improper Handling of Syntactically Invalid Structure •