From 96eba2914af7b27774d7c678970b3604cd3dd262 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:36:09 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-39808 rule --- .../crowdsecurity/vpatch-CVE-2026-39808.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-39808.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-39808.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-39808.yaml new file mode 100644 index 00000000000..09a6a800941 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-39808.yaml @@ -0,0 +1,35 @@ +## autogenerated on 2026-06-17 10:36:06 +name: crowdsecurity/vpatch-CVE-2026-39808 +description: 'Detects command injection in Fortinet FortiSandbox via crafted jid parameter in tracer-behavior endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /fortisandbox/job-detail/tracer-behavior + - zones: + - ARGS + variables: + - jid + transform: + - lowercase + - urldecode + match: + type: contains + value: '|(' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'FortiSandbox - RCE' + classification: + - cve.CVE-2026-39808 + - attack.T1190 + - cwe.CWE-78 From dc60a211022df4f04199af0031dc78a945c4106b Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:36:11 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-39808 test config --- .appsec-tests/vpatch-CVE-2026-39808/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-39808/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-39808/config.yaml b/.appsec-tests/vpatch-CVE-2026-39808/config.yaml new file mode 100644 index 00000000000..ec5f1200057 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-39808/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-06-17 10:36:06 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-39808.yaml +nuclei_template: CVE-2026-39808.yaml From 6bde82300fddfc00cd99c468407d8baa392ff9ac Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:36:13 +0200 Subject: [PATCH 3/4] Add CVE-2026-39808.yaml test --- .../vpatch-CVE-2026-39808/CVE-2026-39808.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-39808/CVE-2026-39808.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-39808/CVE-2026-39808.yaml b/.appsec-tests/vpatch-CVE-2026-39808/CVE-2026-39808.yaml new file mode 100644 index 00000000000..19c0008600e --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-39808/CVE-2026-39808.yaml @@ -0,0 +1,18 @@ +## autogenerated on 2026-06-17 10:36:06 +id: CVE-2026-39808 +info: + name: CVE-2026-39808 + author: crowdsec + severity: info + description: CVE-2026-39808 testing + tags: appsec-testing +http: + - raw: + - | + GET /fortisandbox/job-detail/tracer-behavior?jid=%7c%28echo+test+%3e+%2fweb%2fng%2ftestfile.txt%29%7c HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From ec8bb04fdbf74218087ea67f23f87c61e9b79d73 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Jun 2026 12:36:15 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-39808 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index c4f95a425d8..815f1d65749 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -44,6 +44,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2023-46805 - crowdsecurity/vpatch-CVE-2024-23897 - crowdsecurity/vpatch-CVE-2023-22527 +- crowdsecurity/vpatch-CVE-2026-39808 - crowdsecurity/vpatch-CVE-2024-5057 - crowdsecurity/vpatch-CVE-2023-35078 - crowdsecurity/vpatch-CVE-2023-35082