CVE-2026-21643

Published Feb 6, 2026

Last updated a month ago

Exploit knownCVSS critical 9.8
Firmware
SQL injection
web application
Server
IoT
Database
Supply chain
Zero-day
HTTP

Overview

Description
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Source
psirt@fortinet.com
NVD status
Analyzed
Products
forticlientems

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Fortinet SQL Injection Vulnerability
Exploit added on
Apr 13, 2026
Exploit action due
Apr 16, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

psirt@fortinet.com
CWE-89

Social media

Hype score
Not currently trending

  1. CVE-2026-35616. Fortinet's Endpoint Manager Is an Open Door: The Double Zero-Day Assault on FortiClient EMS (CVE-2026-35616 + CVE-2026-21643)

    @lyrie_ai

    21 May 2026

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Fortinet Critical RCE Flaws Fortinet patches two critical RCE vulnerabilities in FortiSandbox (CVE-2026-44277, CVE-2026-26083) and FortiAuthenticator (CVE-2026-21643, CVE-2026-35616). Unauthenticated attackers can run arbitrary commands or code on affected appliances. No

    @ElusivePrivacy

    12 May 2026

    123 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Top 5 Trending CVEs: 1 - CVE-2022-40769 2 - CVE-2025-5777 3 - CVE-2025-8088 4 - CVE-2023-41064 5 - CVE-2026-21643 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    5 Apr 2026

    256 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2026-21643: FortiClient EMS SQL injection—unauth RCE via admin interface. In 2026. In a "cyber-resilience" product. Patch dropped Dec 2025, exploitation active March 2026. Exposing EMS admin to internet = asking for ransomware. Literally.

    @CisoRaging77913

    3 Apr 2026

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2024-23222 3 - CVE-2026-3909 4 - CVE-2026-21643 5 - CVE-2026-2636 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    14 Mar 2026

    157 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. CVE-2026-25254
  2. NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-8711
  3. Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.CVE-2026-32993
  4. When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-42926
  5. Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167.CVE-2026-44296

References

Sources include official advisories and independent security research.