CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-47857
https://notcve.org/view.php?id=CVE-2025-47857
12 Aug 2025 — A improper neutralization of special elements used in an os command ('os command injection') vulnerability [CWE-78] in Fortinet FortiWeb CLI version 7.6.0 through 7.6.3 and before 7.4.8 allows a privileged attacker to execute arbitrary code or command via crafted CLI commands. • https://fortiguard.fortinet.com/psirt/FG-IR-25-253 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.7EPSS: 0%CPEs: 4EXPL: 0CVE-2025-27759
https://notcve.org/view.php?id=CVE-2025-27759
12 Aug 2025 — An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and before 7.0.10 allows an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI commands • https://fortiguard.fortinet.com/psirt/FG-IR-25-150 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-52970
https://notcve.org/view.php?id=CVE-2025-52970
12 Aug 2025 — A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request. • https://fortiguard.fortinet.com/psirt/FG-IR-25-448 • CWE-233: Improper Handling of Parameters •
CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-32766
https://notcve.org/view.php?id=CVE-2025-32766
12 Aug 2025 — A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiWeb CLI version 7.6.0 through 7.6.3 and before 7.4.8 allows a privileged attacker to execute arbitrary code or commands via crafted CLI commands • https://fortiguard.fortinet.com/psirt/FG-IR-25-383 • CWE-121: Stack-based Buffer Overflow •
CVSS: 10.0EPSS: 52%CPEs: 4EXPL: 11CVE-2025-25257 – Fortinet FortiWeb SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-25257
11 Jul 2025 — An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs reque... • https://packetstorm.news/files/id/206268 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-22254
https://notcve.org/view.php?id=CVE-2025-22254
10 Jun 2025 — An Improper Privilege Management vulnerability [CWE-269] affecting Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16 and before 6.4.15, FortiProxy version 7.6.0 through 7.6.1 and before 7.4.7 & FortiWeb version 7.6.0 through 7.6.1 and before 7.4.6 allows an authenticated attacker with at least read-only admin permissions to gain super-admin privileges via crafted requests to Node.js websocket module. An Improper Privilege Management vulnerability [... • https://fortiguard.fortinet.com/psirt/FG-IR-25-006 • CWE-269: Improper Privilege Management •
CVSS: 7.6EPSS: 0%CPEs: 16EXPL: 0CVE-2024-50565
https://notcve.org/view.php?id=CVE-2024-50565
08 Apr 2025 — A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and 2.0.0 through 2.0.14, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiAnalyze... • https://fortiguard.fortinet.com/psirt/FG-IR-24-046 • CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-46671
https://notcve.org/view.php?id=CVE-2024-46671
08 Apr 2025 — An Incorrect User Management vulnerability [CWE-286] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, version 7.2.10 and below, version 7.0.11 and below widgets dashboard may allow an authenticated attacker with at least read-only admin permission to perform operations on the dashboard of other administrators via crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-184 • CWE-286: Incorrect User Management •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-25254 – Fortinet FortiWeb cgi_httpcontentrouting_post Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-25254
08 Apr 2025 — An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, 7.2 all versions, 7.0 all versions endpoint may allow an authenticated admin to access and modify the filesystem via crafted requests. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fortinet FortiWeb. Authentication is required to exploit this vulnerability. The specific flaw exists within the... • https://fortiguard.fortinet.com/psirt/FG-IR-24-474 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 18%CPEs: 42EXPL: 1CVE-2023-25610
https://notcve.org/view.php?id=CVE-2023-25610
24 Mar 2025 — A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.6, version 6.4.0 through 6.4.11 and version 6.2.12 and below, FortiProxy version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.8, version 2.0.12 and below and FortiOS-6K7K version 7.0.5, version 6.4.0 through 6.4.10 and version 6.2.0 through 6.2.10 and below allows a remote unauthenticated attacker to execute arbitrary code or commands via specifi... • https://github.com/qi4L/CVE-2023-25610 • CWE-124: Buffer Underwrite ('Buffer Underflow') •