Every CVE whose affected-product data names Fortinet Fortimail, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (46)
CVE-2020-9294 — CVSS 9.8 (critical): An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2 and earlier and FortiVoiceEntreprise 6.0.0 and 6.0.1 may allow a…
CVE-2023-47539 — CVSS 9.8 (critical): An improper access control vulnerability in FortiMail version 7.4.0 configured with RADIUS authentication and remote_wildcard enabled may…
CVE-2021-36166 — CVSS 9.8 (critical): An improper authentication vulnerability in FortiMail before 7.0.1 may allow a remote attacker to efficiently guess one administrative…
CVE-2021-24007 — CVSS 9.8 (critical): Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4 may allow a…
CVE-2023-36556 — CVSS 8.8 (high): An incorrect authorization vulnerability [CWE-863] in FortiMail webmail version 7.2.0 through 7.2.2, version 7.0.0 through 7.0.5 and below…
CVE-2021-22129 — CVSS 8.8 (high): Multiple instances of incorrect calculation of buffer size in the Webmail and Administrative interface of FortiMail before 6.4.5 may allow…
CVE-2021-24013 — CVSS 8.8 (high): Multiple Path traversal vulnerabilities in the Webmail of FortiMail before 6.4.4 may allow a regular user to obtain unauthorized access to…
CVE-2022-27488 — CVSS 8.3 (high): A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0…
CVE-2022-22299 — CVSS 7.8 (high): A format string vulnerability [CWE-134] in the command line interpreter of FortiADC version 6.0.0 through 6.0.4, FortiADC version 6.1.0…
CVE-2021-32586 — CVSS 7.7 (high): An improper input validation vulnerability in the web server CGI facilities of FortiMail before 7.0.1 may allow an unauthenticated attacker…
CVE-2021-26091 — CVSS 7.5 (high): A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption…
CVE-2021-24020 — CVSS 7.5 (high): A missing cryptographic step in the implementation of the hash digest algorithm in FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7…
CVE-2021-26095 — CVSS 7.5 (high): The combination of various cryptographic issues in the session management of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through 6.2.6…
CVE-2025-53681 — CVSS 7.2 (high): An improper neutralization of special elements used in an SQL Command ("SQL Injection&") vulnerability [CWE-89] vulnerability in Fortinet…
CVE-2019-15712 — CVSS 7.2 (high): An improper access control vulnerability in FortiMail admin webUI 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below may allow administrators to…
CVE-2021-24015 — CVSS 7.2 (high): An improper neutralization of special elements used in an OS Command vulnerability in the administrative interface of FortiMail before…
CVE-2024-46663 — CVSS 6.7 (medium): A stack-buffer overflow vulnerability [CWE-121] in Fortinet FortiMail CLI version 7.6.0 through 7.6.1 and before 7.4.3 allows a privileged…
CVE-2024-56497 — CVSS 6.7 (medium): An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiMail versions 7.2.0 through…
CVE-2021-42757 — CVSS 6.7 (medium): A buffer overflow [CWE-121] in the TFTP client library of FortiOS before 6.4.7 and FortiOS 7.0.0 through 7.0.2, may allow an authenticated…
CVE-2017-7732 — CVSS 6.1 (medium): A reflected Cross-Site Scripting (XSS) vulnerability in Fortinet FortiMail 5.1 and earlier, 5.2.0 through 5.2.9, and 5.3.0 through 5.3.9…
CVE-2017-3125 — CVSS 6.1 (medium): An unauthenticated XSS vulnerability with FortiMail 5.0.0 - 5.2.9 and 5.3.0 - 5.3.8 could allow an attacker to execute arbitrary scripts in…
CVE-2021-43062 — CVSS 6.1 (medium): A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0.1 and 7.0.0…
CVE-2021-26100 — CVSS 5.9 (medium): A missing cryptographic step in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an unauthenticated attacker who…
CVE-2023-45582 — CVSS 5.6 (medium): An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiMail webmail version 7.2.0 through 7.2.4…
CVE-2022-26114 — CVSS 5.4 (medium): An improper neutralization of input during web page generation vulnerability [CWE-79] in the Webmail of FortiMail before 7.2.0 may allow an…
CVE-2023-36633 — CVSS 5.4 (medium): An improper authorization vulnerability [CWE-285] in FortiMail webmail version 7.2.0 through 7.2.2 and before 7.0.5 allows an authenticated…
CVE-2022-39945 — CVSS 5.4 (medium): An improper access control vulnerability [CWE-284] in FortiMail 7.2.0, 7.0.0 through 7.0.3, 6.4 all versions, 6.2 all versions, 6.0 all…
CVE-2020-15933 — CVSS 5.3 (medium): A exposure of sensitive information to an unauthorized actor in Fortinet FortiMail versions 6.0.9 and below, FortiMail versions 6.2.4 and…
CVE-2021-24008 — CVSS 5.3 (medium): An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiDDoS version 5.4.0, version…
CVE-2021-26090 — CVSS 5.3 (medium): A missing release of memory after its effective lifetime vulnerability in the Webmail of FortiMail 6.4.0 through 6.4.4 and 6.2.0 through…
CVE-2021-32591 — CVSS 5.3 (medium): A missing cryptographic steps vulnerability in the function that encrypts users' LDAP and RADIUS credentials in FortiSandbox before 4.0.1…
CVE-2019-15707 — CVSS 4.9 (medium): An improper access control vulnerability in FortiMail admin webUI 6.2.0, 6.0.0 to 6.0.6, 5.4.10 and below may allow administrators to…
CVE-2022-26122 — CVSS 4.7 (medium): An insufficient verification of data authenticity vulnerability [CWE-345] in FortiClient, FortiMail and FortiOS AV engines version 6.2.168…
CVE-2022-23439 — CVSS 4.7 (medium): A externally controlled reference to a resource in another sphere vulnerability in Fortinet allows attacker to poison web caches via…
CVE-2023-33302 — CVSS 4.7 (medium): A buffer copy without checking size of input ('classic buffer overflow') in Fortinet FortiMail webmail and administrative interface version…
CVE-2024-40588 — CVSS 4.4 (medium): Multiple relative path traversal vulnerabilities [CWE-23] vulnerability in Fortinet FortiCamera 2.1 all versions, FortiCamera 2.0.0…
CVE-2021-26099 — CVSS 4.4 (medium): Missing cryptographic steps in the Identity-Based Encryption service of FortiMail before 7.0.0 may allow an attacker who comes in…
CVE-2025-54972 — CVSS 4.3 (medium): An improper neutralization of crlf sequences ('crlf injection') vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0…
CVE-2014-8617 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the Web Action Quarantine Release feature in the WebGUI in Fortinet FortiMail before 4.3.9…
CVE-2013-1471 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in admin/FEAdmin.html in Fortinet FortiMail before 4.3.4 on FortiMail Identity-Based…
CVE-2024-47569 — CVSS 4.3 (medium): A insertion of sensitive information into sent data vulnerability in Fortinet FortiMail 7.4.0 through 7.4.2, FortiMail 7.2.0 through 7.2.6…
CVE-2025-55717 — CVSS 4.0 (medium): A cleartext storage of sensitive information vulnerability [CWE-312] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.2, FortiMail…
CVE-2015-3293 — CVSS 4.0 (medium): FortiMail 5.0.3 through 5.2.3 allows remote administrators to obtain credentials via the "diag debug application httpd" command.
CVE-2022-29056 — CVSS 3.7 (low): A improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiMail version 6.4.0, version 6.2.0…
CVE-2023-36637 — CVSS 3.5 (low): An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiMail version 7.2.0 through 7.2.2 and before…