Advisory Details

April 15th, 2026

Fortinet FortiWeb cgi_buf_alloc Integer Overflow Denial-of-Service Vulnerability

ZDI-26-265
ZDI-CAN-28660

CVE ID CVE-2026-39811
CVSS SCORE 6.5, AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AFFECTED VENDORS Fortinet
AFFECTED PRODUCTS FortiWeb
VULNERABILITY DETAILS

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Fortinet FortiWeb. Authentication is required to exploit this vulnerability.

The specific flaw exists within the handling of HTTP requests. Crafted requests can force the server into an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.
ADDITIONAL DETAILS Fortinet has issued an update to correct this vulnerability. More details can be found at:
https://fortiguard.fortinet.com/psirt/FG-IR-26-108
DISCLOSURE TIMELINE
  • 2025-12-09 - Vulnerability reported to vendor
  • 2026-04-15 - Coordinated public release of advisory
  • 2026-04-15 - Advisory Updated
CREDIT Jason McFadyen of Trend Research
BACK TO ADVISORIES