// #command-injection
7 articles
Fortinet FortiSandbox CVE-2026-25089 (CVSS 9.8): Unauthenticated Command Injection in Web Management UI
Fortinet has patched a critical command injection vulnerability in FortiSandbox that allows an unauthenticated remote attacker to execute arbitrary system commands through the web management interface. CVE-2026-25089, rated CVSS 9.8, requires no credentials to exploit and affects FortiSandbox versions through 5.4.5 — a particularly sensitive target given the appliance's privileged role in malware analysis.
The AI Infrastructure Security Deficit: Langflow, LiteLLM, and a Repeating Pattern
Two AI infrastructure components — Langflow and LiteLLM — have reached the CISA Known Exploited Vulnerabilities catalogue in June 2026, both with command injection vulnerabilities in Python-based AI tooling. The pattern reflects a systemic gap: AI infrastructure is being deployed in enterprise environments under procurement and security processes designed for end-user applications, not for server-side infrastructure with network-accessible APIs.
Palo Alto Networks Patches PAN-OS Command Injection CVE-2026-0273 Across All Active Branches
Palo Alto Networks has patched CVE-2026-0273, a command injection vulnerability in the PAN-OS web management interface that allows authenticated administrators to execute arbitrary OS commands on the firewall. The vulnerability affects PAN-OS versions 10.1 through 11.2 and all active GlobalProtect gateway configurations. Updates are available across all supported branches.
CVE-2026-42271: BerriAI LiteLLM Command Injection Reaches CISA KEV — AI Infrastructure Under Attack
CISA added CVE-2026-42271 in BerriAI LiteLLM to the Known Exploited Vulnerabilities catalogue on 8 June, confirming active exploitation of a command injection vulnerability that allows API keys with limited privileges to execute arbitrary commands on the LiteLLM host. Organisations running LiteLLM as an AI gateway should update to v1.83.7-stable immediately.
D-Link DIR-823X Command Injection CVE-2025-29635 Added to CISA KEV — Mirai Botnet Exploiting Actively
CVE-2025-29635, an authenticated command injection in D-Link DIR-823X routers, has been added to CISA's Known Exploited Vulnerabilities catalogue following an active Mirai botnet campaign documented by Akamai. CVSS 7.2 understates the real risk: D-Link DIR-823X reached end of life, meaning no patch will be issued. Organisations with these routers must replace them. Federal deadline: May 19, 2026.
Public Exploit Released for Critical FortiSandbox RCE (CVE-2026-39808, CVSS 9.1) — Unauthenticated Root Access
A public proof-of-concept exploit has been released for CVE-2026-39808, a critical OS command injection vulnerability in Fortinet FortiSandbox that allows unauthenticated attackers to execute arbitrary commands as root via a single HTTP request. A companion authentication bypass flaw (CVE-2026-39813) affects the same versions. Patch to FortiSandbox 4.4.9 or 5.0.6 immediately.
VMware Aria Operations CVE-2026-22719 — CISA KEV With Federal Deadline Tomorrow
CISA has added CVE-2026-22719, a command injection vulnerability in VMware Aria Operations, to the Known Exploited Vulnerabilities catalogue with a federal agency patch deadline of 24 March. The flaw allows unauthenticated remote attackers to execute arbitrary commands on the management infrastructure and was patched by Broadcom in February — but active exploitation has been confirmed before many organisations applied the fix.