CVE-2026-21643

CVE Database · CVE-2026-21643

CVE-2026-21643

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

94.08%

Published

Feb 6, 2026

Modified

Apr 16, 2026

CISA Known Exploited Vulnerability

Added: 2026-04-13 · Due: 2026-04-16

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-89

Affected Products (1)

fortinet · forticlientemsvulnerable

References (3)

https://fortiguard.fortinet.com/psirt/FG-IR-25-1142

Vendor Advisory

https://github.com/0xBlackash/CVE-2026-21643/blob/main/cve-2026-21643.py

Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21643

US Government Resource

KEV Catalog EPSS Scores Vendors All CVEs