CVE-2026-23573
MEDIUM
6.1
CVSS 3.1
Description
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.6, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiPAM 1.8.0, FortiPAM 1.7 all versions, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.4.0 through 7.4.3, FortiProxy 7.2.0 through 7.2.9 may allow an authenticated remote user to execute code or commands via crafted requests.
Metadata
Severity & Metrics
6.1
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C
SSVC — CISA Coordinator
Affected products (3)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Fortinet | FortiOS | — | 7.6.0 ≤ 7.6.6, 7.4.0 ≤ 7.4.12, 7.2.0 ≤ 7.2.13, 7.0.0 ≤ 7.0.19 … |
| Fortinet | FortiPAM | — | 1.8.0, 1.7.0 ≤ 1.7.2, 1.6.0 ≤ 1.6.2, 1.5.0 ≤ 1.5.1 … |
| Fortinet | FortiProxy | — | 7.4.0 ≤ 7.4.3, 7.2.0 ≤ 7.2.9, 7.0.0 ≤ 7.0.16 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-79 | cna | Execute unauthorized code or commands |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.1 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C |
References (1)
- https://fortiguard.fortinet.com/psirt/FG-IR-26-150 https://fortiguard.fortinet.com/psirt/FG-IR-26-150