Pre-Authentication SQL Injection in FortiClient EMS 7.4.4 - CVE-2026-21643

bishopfox.com · bishopfox · 3 days ago · vulnerability

0 net

Tags

cve sqli

Entities

CVE-2026-21643

FortiClient EMS 7.4.4 contains a pre-authentication SQL injection vulnerability (CVSS 9.1) in its multi-tenant site routing middleware. An unauthenticated attacker can inject arbitrary SQL by sending a crafted Site HTTP header to any pre-auth endpoint.

← Back to stories