vulnerability

Fortinet FortiOS: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-2021-26092)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:N/C:N/I:P/A:N)	Feb 24, 2022	Mar 4, 2022	Mar 30, 2026

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Published

Feb 24, 2022

Added

Mar 4, 2022

Modified

Mar 30, 2026

Description

Failure to sanitize input in the SSL VPN web portal of FortiOS 5.2.10 through 5.2.15, 5.4.0 through 5.4.13, 5.6.0 through 5.6.14, 6.0.0 through 6.0.12, 6.2.0 through 6.2.7, 6.4.0 through 6.4.4; and FortiProxy 1.2.0 through 1.2.9, 2.0.0 through 2.0.1 may allow a remote unauthenticated attacker to perform a reflected Cross-site Scripting (XSS) attack by sending a request to the error page with malicious GET parameters.

Solution

fortios-upgrade-latest

References

CVE-2021-26092
https://attackerkb.com/topics/CVE-2021-26092
CWE-79
EUVD-EUVD-2021-12913
https://euvd.enisa.europa.eu/vulnerability/EUVD-2021-12913
https://fortiguard.com/psirt/FG-IR-20-199

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today