Fortinet FortiClient EMS SQL Injection Vulnerability (CVE-2026-21643).
Release Date: 13th April 2026
Impact : HIGH / CRITICAL
TLP Rating: Clear 
The Department of Communication and Digital Transformation (DCDT) through CERT Vanuatu (CERTVU), provides the following advisory.
This alert is relevant to Organizations and System/Network administrators that utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
What are the systems affected?
The vulnerability impacts;
Vendor: Fortinet Product: FortiClientEMS Version: 7.4.4
What does this mean?
An improper neutralization of special elements used in an SQL Command (SQL Injection) vulnerability (CWE-89) in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specially crafted HTTP requests.
This has been observed to be exploited in the wild.
Mitigation process
CERTVU recommends the following:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cve.org/CVERecord?id=CVE-2026-21643
- https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
- https://cwe.mitre.org/data/definitions/89.html
- Download advisory (English): Fortinet FortiClient EMS SQL Injection Vulnerability (CVE-2026-21643).