Security & Lifecycle News

CVE-2026-0234 Cortex XSOAR: Improper Verification of Cryptographic Signature in Microsoft Teams integration (Severity: HIGH)

CVE-2025-4615 PAN-OS: Improper Neutralization of Input in the Management Web Interface (Severity: MEDIUM)

CVE-2026-0233 Autonomous Digital Experience Manager: Improper validation of ADEM certificate (Severity: MEDIUM)

PAN-SA-2026-0006 Informational Bulletin: Impact assessment of OSS CVEs in PAN-OS (Severity: INFORMATIONAL)

CVE-2026-0232 Cortex XDR Agent: Local Administrator can disable the agent on Windows (Severity: MEDIUM)

CVE-2025-0117 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM)

PAN-SA-2025-0015 Chromium: Monthly Vulnerability Update (September 2025) (Severity: MEDIUM)

PAN-SA-2025-0018 Chromium and Prisma Browser: Monthly Vulnerability Update (November 2025) (Severity: MEDIUM)

PAN-SA-2026-0001 Chromium: Monthly Vulnerability Update (January 2026) (Severity: MEDIUM)

PAN-SA-2025-0016 Chromium: Monthly Vulnerability Update (October 2025) (Severity: MEDIUM)

CVE-2025-4614 PAN-OS: Session Token Disclosure Vulnerability (Severity: LOW)

CVE-2025-4619 PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Packets (Severity: MEDIUM)

CVE-2025-4234 Cortex XDR Microsoft 365 Defender Pack: Cleartext Exposure of Credentials (Severity: LOW)

PAN-SA-2025-0017 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION (Severity: INFORMATIONAL)

CVE-2025-4235 User-ID Credential Agent: Cleartext Exposure of Service Account password (Severity: MEDIUM)

Out-Of-Bounds Write in administrative interface

CVSSv3 Score: 6.7 An out-of-bounds write vulnerability [CWE-787] in FortiWeb CGI daemon may allow a remote privileged attacker to execute arbitrary code or command via crafte…

OS Command Injection through API endpoint

CVSSv3 Score: 9.1 An Improper Neutralization of Special Elements used in an OS Command ('OS command injection') vulnerability [CWE-78] in FortiSandbox may allow an unauthenti…

unauthorized backup file access

CVSSv3 Score: 5.4 An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiNDR and FortiVoice may allow a remote authenticated attacker w…

SQL Injection via API

CVSSv3 Score: 7.9 An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiDDoS-F may allow an authenticated att…

SSRF via Report template and scheduling

CVSSv3 Score: 4.1 A Server-Side request forgery (SSRF) vulnerability [CWE-918] in FortiSOAR may allow an authenticated attacker to discover services running on local ports vi…

Unauthenticated Authentication bypass and Privilege escalation in FortiSandbox

CVSSv3 Score: 9.1 A Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP …

Multiple SQL Injections

CVSSv3 Score: 7.1 An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiClientEMS may allow an authenticated …

2FA request can be replayed without a valid token after one successful request

CVSSv3 Score: 6.7 An Improper authentication vulnerability [CWE-287] in FortiSOAR web GUI may allow an unauthenticated attacker to bypass authentication via replaying capture…

Multiple Path traversals in CLI

CVSSv3 Score: 6.2 Multiple Relative Path Traversal vulnerabilities [CWE-23] in FortiWeb may allow a local privileged attacker to execute unauthorized code on the underlying s…

Missing Authentication for critical function in CAPWAP daemon

CVSSv3 Score: 6.2 A missing authentication for critical function vulnerability [CWE-306] in FortiOS and FortiSwitchManager CAPWAP daemon may allow a local unauthenticated att…

Integer Overflow Denial of Service in administrative interface

CVSSv3 Score: 4.4 An Integer Overflow or Wraparound vulnerability [CWE-190] in FortiWeb may allow a privileged authenticated attacker to perform a denial of service of the sy…

Heap-based buffer overflow in oftpd daemon

CVSSv3 Score: 7.3 A heap-based buffer overflow vulnerability [CWE-122] in FortiAnalyzer Cloud oftpd daemon may allow a remote unauthenticated attacker to execute arbitrary co…

Hardcoded symmetric encryption key for Postgresql

CVSSv3 Score: 5.2 A use of hard-coded cryptographic key vulnerability [CWE 321] in FortiClientEMS may allow an attacker in possession of an encrypted dump of the database to…

Credential disclosure in LDAP configuration web page.

CVSSv3 Score: 2.5 An Insufficiently protected credentials vulnerability [CWE-522] in FortiSanbox and FortiSanbox PaaS GUI may allow an authenticated administrator to read LDA…

Path Traversal on File Content Extraction connector

CVSSv3 Score: 6.2 An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSOAR may allow an authenticated remote atta…