Back to KEVs

CVE-2026-21643

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an...

Basic Information

CVE State: PUBLISHED
Reserved Date: January 02, 2026
Published Date: February 06, 2026
Last Updated: April 14, 2026
Vendor: Fortinet
Product: FortiClientEMS
Description: An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Tags

CVSS Scores

CVSS v3.1

9.1 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2026-06-01 13:07:11 UTC) Source

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

Known Exploited Vulnerability Information

Source	Added Date
CVE	2026-06-01 13:07:11 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-21643.yaml	2026-06-01 15:34:44 UTC

Timeline

CVE ID Reserved

January 02, 2026
CVE Published to Public

February 06, 2026
Added to KEVIntel

June 01, 2026
Detected by Nuclei

June 01, 2026