CVE-2025-31366

Published: Oct 14, 2025Modified: Jan 14, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

An Improper Neutralization of Input During Web Page Generation vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSASE 25.2.a may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) via crafted HTTP requests.

Affected (5)

Products: Fortinet: Fortios, Fortiproxy, Fortisase

3 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortios	From 6.4.0 to 7.4.9
Fortinet Fortios	From 7.6.0 to 7.6.4

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortiproxy	From 7.0.0 to 7.6.4

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fortinet Fortisase	Version 25.3.40
Fortinet Fortisase	Version 25.3.40

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-24-542

Source: psirt@fortinet.com

Vendor Advisory

Timeline

No history available yet.