CVE-2026-59837 PUBLISHED

Assigner: fortinet
Reserved: 07.07.2026 Published: 14.07.2026 Updated: 14.07.2026

A stack-based buffer overflow vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2 all versions, FortiPAM 1.8.0 through 1.8.2, FortiPAM 1.7 all versions, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.4.0 through 7.4.13, FortiProxy 7.2 all versions may allow a privileged authenticated attacker who can bypass stack protection and ASLR to execute arbitrary code or commands via crafted HTTP requests.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
CVSS Score: 5.9

Product Status

Vendor Fortinet
Product FortiPAM
Versions Default: unaffected
  • affected from 1.8.0 to 1.8.2 (incl.)
  • affected from 1.7.0 to 1.7.2 (incl.)
  • affected from 1.6.0 to 1.6.2 (incl.)
  • affected from 1.5.0 to 1.5.1 (incl.)
  • affected from 1.4.0 to 1.4.3 (incl.)
  • affected from 1.3.0 to 1.3.1 (incl.)
  • Version 1.2.0 is affected
  • affected from 1.1.0 to 1.1.2 (incl.)
  • affected from 1.0.0 to 1.0.3 (incl.)
Vendor Fortinet
Product FortiSASE
Versions Default: unaffected
  • affected from 26.1.1 to 26.1.2 (incl.)
Vendor Fortinet
Product FortiProxy
Versions Default: unaffected
  • affected from 7.4.0 to 7.4.13 (incl.)
  • affected from 7.2.0 to 7.2.16 (incl.)
Vendor Fortinet
Product FortiOS
Versions Default: unaffected
  • affected from 7.4.0 to 7.4.1 (incl.)
  • affected from 7.2.0 to 7.2.13 (incl.)
  • affected from 7.0.0 to 7.0.19 (incl.)
  • affected from 6.4.0 to 6.4.16 (incl.)

Solutions

Upgrade to FortiOS version 8.0.0 or above Upgrade to FortiOS version 7.6.0 or above Upgrade to FortiOS version 7.4.2 or above Upgrade to FortiPAM version 1.9.0 or above Upgrade to FortiPAM version 1.8.3 or above Upgrade to FortiProxy version 7.6.0 or above Upgrade to FortiProxy version 7.4.14 or above

References

Problem Types

  • Execute unauthorized code or commands CWE