CVE-2026-22154: Fortinet FortiSOAR Stored XSS Vulnerability

CVE-2026-22154 Overview

An improper neutralization of input during web page generation vulnerability has been identified in Fortinet FortiSOAR, affecting both PaaS and on-premise deployments. This stored cross-site scripting (XSS) flaw allows authenticated remote attackers to inject malicious scripts via crafted HTTP requests. When successfully exploited, the injected scripts are persistently stored on the target server and executed in the context of other users' browser sessions when they access the affected pages.

Critical Impact

Authenticated attackers can leverage this stored XSS vulnerability to steal session tokens, hijack user accounts, perform unauthorized actions on behalf of legitimate users, or deliver malware through the trusted FortiSOAR security orchestration platform.

Affected Products

• Fortinet FortiSOAR PaaS versions 7.6.0 through 7.6.3
• Fortinet FortiSOAR PaaS versions 7.5.0 through 7.5.2
• Fortinet FortiSOAR PaaS versions 7.4 (all versions)
• Fortinet FortiSOAR PaaS versions 7.3 (all versions)
• Fortinet FortiSOAR on-premise versions 7.6.0 through 7.6.3
• Fortinet FortiSOAR on-premise versions 7.5.0 through 7.5.2
• Fortinet FortiSOAR on-premise versions 7.4 (all versions)
• Fortinet FortiSOAR on-premise versions 7.3 (all versions)

Discovery Timeline

• 2026-04-14 - CVE CVE-2026-22154 published to NVD
• 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-22154

Vulnerability Analysis

This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists due to insufficient input validation and output encoding within FortiSOAR's web interface. When user-supplied data is processed through HTTP requests, the application fails to properly sanitize malicious script content before storing it in the database and subsequently rendering it in web pages served to other users.

The stored nature of this XSS vulnerability makes it particularly dangerous compared to reflected XSS variants. Once an attacker successfully injects malicious payload, it persists within the application and can affect multiple users over an extended period without requiring further attacker interaction. Given that FortiSOAR is a Security Orchestration, Automation and Response (SOAR) platform typically used by security operations teams, successful exploitation could compromise privileged security personnel accounts.

Root Cause

The root cause of this vulnerability stems from inadequate input validation and improper output encoding within FortiSOAR's web application layer. When processing HTTP requests, the application does not sufficiently sanitize user-controlled input before storing it in the database. Additionally, when this stored data is later retrieved and rendered in HTML responses, the application fails to apply proper context-aware output encoding, allowing injected scripts to execute in users' browsers.

Attack Vector

The attack requires network access and valid authentication credentials to the FortiSOAR platform. An authenticated attacker crafts malicious HTTP requests containing JavaScript payloads designed to be stored within the application. The attack scenario requires user interaction—specifically, another authenticated user must navigate to a page that renders the attacker's stored malicious content. Upon viewing the affected page, the victim's browser executes the injected script in the security context of the FortiSOAR domain.

The vulnerability can be exploited to:

• Steal session cookies and authentication tokens
• Perform actions on behalf of the victim user
• Modify security automation workflows and playbooks
• Exfiltrate sensitive security data visible to the compromised user
• Pivot to other integrated security tools using stored credentials

Detection Methods for CVE-2026-22154

Indicators of Compromise

• Unusual JavaScript snippets or HTML tags appearing in user-generated content fields within FortiSOAR
• Browser console errors or unexpected script execution when accessing FortiSOAR pages
• Suspicious HTTP requests containing encoded script tags (<script>, javascript:, onerror=, etc.) in request parameters
• Unexpected outbound connections from user browsers when accessing FortiSOAR interface
• Audit logs showing modifications to playbooks or configurations not attributable to legitimate administrator activity

Detection Strategies

• Enable and monitor FortiSOAR audit logs for unusual content creation or modification activities
• Implement Content Security Policy (CSP) headers and monitor for violations indicating attempted XSS execution
• Deploy web application firewall (WAF) rules to detect and block common XSS payloads in HTTP requests
• Review FortiSOAR application logs for requests containing suspicious encoding patterns or script-related keywords
• Monitor for anomalous user session behavior that may indicate session hijacking

Monitoring Recommendations

• Configure real-time alerting for CSP violation reports from FortiSOAR endpoints
• Establish baseline user behavior patterns and alert on deviations that may indicate compromised accounts
• Monitor network traffic for unexpected data exfiltration patterns from client browsers accessing FortiSOAR
• Implement endpoint detection on systems accessing FortiSOAR to identify browser-based exploitation attempts

How to Mitigate CVE-2026-22154

Immediate Actions Required

• Review the Fortinet Security Advisory FG-IR-26-117 for official guidance and patch information
• Upgrade FortiSOAR PaaS and on-premise installations to patched versions as specified in the vendor advisory
• Audit FortiSOAR for any suspicious content that may have been injected by exploiting this vulnerability
• Review user accounts and session activity for signs of compromise or unauthorized access
• Implement additional network segmentation to limit exposure of FortiSOAR management interfaces

Patch Information

Fortinet has released security updates to address this vulnerability. Organizations should consult the Fortinet Security Advisory FG-IR-26-117 for specific patched version numbers and upgrade instructions. Prioritize upgrading all affected FortiSOAR deployments, both PaaS and on-premise installations, to the latest available versions that include the security fix.

Workarounds

• Implement strict Content Security Policy (CSP) headers to prevent inline script execution as an additional defense layer
• Restrict FortiSOAR access to trusted networks and authenticated users with verified business need
• Enable additional authentication factors (MFA) to reduce the impact of potential session hijacking
• Deploy a web application firewall (WAF) in front of FortiSOAR with XSS filtering rules enabled
• Conduct regular security audits of stored content within FortiSOAR to identify potentially malicious injections

# Example CSP header configuration for additional XSS mitigation
# Add to web server or reverse proxy configuration
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self'; form-action 'self';